XML Security Library (xmlsec) XML Digital Signature Flaw May Let Remote Users Bypass Authentication
|
|
SecurityTracker Alert ID: 1022852 |
|
SecurityTracker URL: http://securitytracker.com/id/1022852
|
|
CVE Reference:
CVE-2009-0217
(Links to External Site)
|
Date: Sep 8 2009
|
Impact:
Host/resource access via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 1.2.12
|
Description:
A vulnerability was reported in XML Security Library (xmlsec). A remote user can forge digital certificates.
A remote user may be able to exploit a flaw in the verification of HMAC-based XML digital signatures to bypass authentication. Applications that validate HMAC-based XML digital signatures may be affected.
|
Impact:
A remote user may be able to bypass authentication. The specific impact depends on the target application.
|
Solution:
On July 14, 2009, the vendor issued a fix (1.2.12).
The vendor's advisory is available at:
http://www.aleksey.com/xmlsec/
|
Vendor URL: www.aleksey.com/xmlsec/ (Links to External Site)
|
Cause:
Authentication error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 8 Sep 2009 17:31:35 -0400
Subject: XML Security Library (xmlsec)
|
http://www.aleksey.com/xmlsec/
CVE-2009-0217
> July 14 2009
> * Fixed HMAC vulnerability with small values of HMAC length (CERT VU #466161).
|
|
