nvd-json-data-feeds/CVE-2024/CVE-2024-329xx/CVE-2024-32962.json

{
  "id": "CVE-2024-32962",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2024-05-02T07:15:21.420",
  "lastModified": "2024-11-21T09:16:07.340",
  "vulnStatus": "Awaiting Analysis",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "xml-crypto is an xml digital signature and encryption library for Node.js. In affected versions the default configuration does not check authorization of the signer, it only checks the validity of the signature per section 3.2.2 of the w3 xmldsig-core-20080610 spec. As such, without additional validation steps, the default configuration allows a malicious actor to re-sign an XML document, place the certificate in a `<KeyInfo />` element, and pass `xml-crypto` default validation checks. As a result `xml-crypto` trusts by default any certificate provided via digitally signed XML document's `<KeyInfo />`. `xml-crypto` prefers to use any certificate provided via digitally signed XML document's `<KeyInfo />` even if library was configured to use specific certificate (`publicCert`) for signature verification purposes.  An attacker can spoof signature verification by modifying XML document and replacing existing signature with signature generated with malicious private key (created by attacker) and by attaching that private key's certificate to `<KeyInfo />` element. This vulnerability is combination of changes introduced to `4.0.0` on pull request 301 / commit `c2b83f98` and has been addressed in version 6.0.0 with pull request 445 / commit `21201723d`. Users are advised to upgrade. Users unable to upgrade may either check the certificate extracted via `getCertFromKeyInfo` against trusted certificates before accepting the results of the validation or set `xml-crypto's getCertFromKeyInfo` to `() => undefined` forcing `xml-crypto` to use an explicitly configured `publicCert` or `privateKey` for signature verification."
    },
    {
      "lang": "es",
      "value": "xml-crypto es una librer\u00eda de cifrado y firma digital xml para Node.js. En las versiones afectadas, la configuraci\u00f3n predeterminada no verifica la autorizaci\u00f3n del firmante, solo verifica la validez de la firma seg\u00fan la secci\u00f3n 3.2.2 de la especificaci\u00f3n w3 xmldsig-core-20080610. Como tal, sin pasos de validaci\u00f3n adicionales, la configuraci\u00f3n predeterminada permite a un actor malintencionado volver a firmar un documento XML, colocar el certificado en un elemento `` y pasar las comprobaciones de validaci\u00f3n predeterminadas `xml-crypto`. Como resultado, `xml-crypto` conf\u00eda de forma predeterminada en cualquier certificado proporcionado a trav\u00e9s de `` del documento XML firmado digitalmente. `xml-crypto` prefiere usar cualquier certificado proporcionado a trav\u00e9s de `` del documento XML firmado digitalmente, incluso si la librer\u00eda se configur\u00f3 para usar un certificado espec\u00edfico (`publicCert`) para fines de verificaci\u00f3n de firma. Un atacante puede falsificar la verificaci\u00f3n de la firma modificando el documento XML y reemplazando la firma existente con una firma generada con una clave privada maliciosa (creada por el atacante) y adjuntando el certificado de esa clave privada al elemento ``. Esta vulnerabilidad es una combinaci\u00f3n de cambios introducidos en `4.0.0` en la solicitud de extracci\u00f3n 301/compromiso `c2b83f98` y se ha solucionado en la versi\u00f3n 6.0.0 con la solicitud de extracci\u00f3n 445/compromiso `21201723d`. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar pueden verificar el certificado extra\u00eddo a trav\u00e9s de `getCertFromKeyInfo` con certificados confiables antes de aceptar los resultados de la validaci\u00f3n o configurar `xml-crypto's getCertFromKeyInfo` en `() =&gt; undefinido`, forzando a `xml-crypto` a usar un m\u00e9todo expl\u00edcito configurar `publicCert` o `privateKey` para la verificaci\u00f3n de firma."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
          "baseScore": 10.0,
          "baseSeverity": "CRITICAL",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "CHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "NONE"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.8
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security-advisories@github.com",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-347"
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://github.com/node-saml/xml-crypto/pull/301",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://github.com/node-saml/xml-crypto/pull/445",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://security.netapp.com/advisory/ntap-20240705-0003/",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000",
      "source": "af854a3a-2127-422b-91ae-364da2661108"
    },
    {
      "url": "https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca",
      "source": "af854a3a-2127-422b-91ae-364da2661108"
    },
    {
      "url": "https://github.com/node-saml/xml-crypto/pull/301",
      "source": "af854a3a-2127-422b-91ae-364da2661108"
    },
    {
      "url": "https://github.com/node-saml/xml-crypto/pull/445",
      "source": "af854a3a-2127-422b-91ae-364da2661108"
    },
    {
      "url": "https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v",
      "source": "af854a3a-2127-422b-91ae-364da2661108"
    },
    {
      "url": "https://security.netapp.com/advisory/ntap-20240705-0003/",
      "source": "af854a3a-2127-422b-91ae-364da2661108"
    },
    {
      "url": "https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation",
      "source": "af854a3a-2127-422b-91ae-364da2661108"
    }
  ]
}