xml-crypto is an xml digital signature and encryption library for Node.js. In affected versions the default configuration does not check authorization of the signer, it only checks the validity of the signature per section 3.2.2 of the w3 xmldsig-core-20080610 spec. As such, without additional validation steps, the default configuration allows a malicious actor to re-sign an XML document, place the certificate in a `` element, and pass `xml-crypto` default validation checks. As a result `xml-crypto` trusts by default any certificate provided via digitally signed XML document\'s ``. `xml-crypto` prefers to use any certificate provided via digitally signed XML document\'s `` even if library was configured to use specific certificate (`publicCert`) for signature verification purposes. An attacker can spoof signature verification by modifying XML document and replacing existing signature with signature generated with malicious private key (created by attacker) and by attaching that private key\'s certificate to `` element. This vulnerability is combination of changes introduced to `4.0.0` on pull request 301 / commit `c2b83f98` and has been addressed in version 6.0.0 with pull request 445 / commit `21201723d`. Users are advised to upgrade. Users unable to upgrade may either check the certificate extracted via `getCertFromKeyInfo` against trusted certificates before accepting the results of the validation or set `xml-crypto\'s getCertFromKeyInfo` to `() => undefined` forcing `xml-crypto` to use an explicitly configured `publicCert` or `privateKey` for signature verification.
Priority: --
CVSS v3: 10
Component:
Publish Date: May 2, 2024
Related ID: --
CVSS v2: CRITICAL
Modified Date: May 2, 2024
Find out more about CVE-2024-32962 from the MITRE-CVE dictionary and NIST NVD
Login may be required to access defects or downloads.
| Product Name |
Status |
Defect |
Fixed |
Downloads |
| Linux |
| Wind River Linux LTS 17 |
Not Vulnerable |
-- |
-- |
-- |
| Wind River Linux 8 |
Not Vulnerable |
-- |
-- |
-- |
| Wind River Linux 9 |
Not Vulnerable |
-- |
-- |
-- |
| Wind River Linux 7 |
Not Vulnerable |
-- |
-- |
-- |
| Wind River Linux LTS 21 |
Not Vulnerable |
-- |
-- |
-- |
| Wind River Linux LTS 22 |
Not Vulnerable |
-- |
-- |
-- |
| Wind River Linux LTS 18 |
Not Vulnerable |
-- |
-- |
-- |
| Wind River Linux LTS 19 |
Not Vulnerable |
-- |
-- |
-- |
| Wind River Linux CD release |
N/A |
-- |
-- |
-- |
| Wind River Linux 6 |
Not Vulnerable |
-- |
-- |
-- |
| Wind River Linux LTS 23 |
Not Vulnerable |
-- |
-- |
-- |
| VxWorks |
| VxWorks 7 |
Not Vulnerable |
-- |
-- |
-- |
| VxWorks 6.9 |
Not Vulnerable |
-- |
-- |
-- |
| Helix Virtualization Platform Cert Edition |
| Helix Virtualization Platform Cert Edition |
Not Vulnerable |
-- |
-- |
-- |
| Product Name |
Status |
Defect |
Fixed |
Downloads |
Notes
Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
