{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/goxmlsig/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["goxmlsig"],"_cs_severities":["high"],"_cs_tags":["xml","signature-bypass","vulnerability"],"_cs_type":"advisory","_cs_vendors":["goxmlsig"],"content_html":"\u003cp\u003eThe goxmlsig library, which provides XML Digital Signatures implemented in Go, is vulnerable to a loop variable capture issue in versions prior to 1.6.0. Specifically, the \u003ccode\u003evalidateSignature\u003c/code\u003e function in \u003ccode\u003evalidate.go\u003c/code\u003e iterates through references in the \u003ccode\u003eSignedInfo\u003c/code\u003e block to match the signed element's ID. In Go versions before 1.22, or when \u003ccode\u003ego.mod\u003c/code\u003e uses an older version, the code incorrectly takes the address of the loop variable \u003ccode\u003e_ref\u003c/code\u003e instead of its value. This results in the \u003ccode\u003eref\u003c/code\u003e pointer potentially always pointing to the last element in the \u003ccode\u003eSignedInfo.References\u003c/code\u003e slice after the loop, especially if multiple references match the ID or if the loop logic is flawed. The vulnerability, identified as CVE-2026-33487, can lead to signature validation bypass. goxmlsig version 1.6.0 addresses this vulnerability with a patch.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious XML document with a digital signature.\u003c/li\u003e\n\u003cli\u003eThe crafted XML document is submitted to a Go application using goxmlsig for signature validation.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003evalidateSignature\u003c/code\u003e function in \u003ccode\u003evalidate.go\u003c/code\u003e is invoked.\u003c/li\u003e\n\u003cli\u003eThe function iterates through the \u003ccode\u003eSignedInfo.References\u003c/code\u003e slice.\u003c/li\u003e\n\u003cli\u003eDue to the loop variable capture issue (CVE-2026-33487), the \u003ccode\u003eref\u003c/code\u003e pointer incorrectly points to the last element in the slice, especially if running Go versions older than 1.22.\u003c/li\u003e\n\u003cli\u003eThe incorrect \u003ccode\u003eref\u003c/code\u003e pointer leads to a mismatch during signature verification.\u003c/li\u003e\n\u003cli\u003eDespite the signature being invalid, the validation may incorrectly pass due to the flawed logic.\u003c/li\u003e\n\u003cli\u003eThe application processes the malicious XML document as if it were genuinely signed, leading to potential data corruption or unauthorized actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to bypass signature validation in applications using goxmlsig. This can lead to severe consequences such as processing of untrusted or tampered XML data. The vulnerability has a CVSS v3.1 base score of 7.5, indicating a high impact. This could potentially impact any application relying on goxmlsig for secure XML processing, leading to data integrity compromise or unauthorized access to sensitive information.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the goxmlsig library to version 1.6.0 or later to patch CVE-2026-33487.\u003c/li\u003e\n\u003cli\u003eWhen using goxmlsig, ensure the Go version is 1.22 or higher to avoid the loop variable capture issue.\u003c/li\u003e\n\u003cli\u003eImplement additional validation checks on the processed XML data to detect potential tampering, even after signature validation.\u003c/li\u003e\n\u003cli\u003eMonitor the applications logs for error or unexpected behavior during XML signature validation using goxmlsig.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-25T12:00:00Z","date_published":"2024-01-25T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-25-goxmlsig-loop-variable-capture/","summary":"A vulnerability exists in goxmlsig versions prior to 1.6.0 related to loop variable capture in the `validateSignature` function when using older Go versions, leading to incorrect signature validation.","title":"goxmlsig Vulnerability CVE-2026-33487 Loop Variable Capture","url":"https://feed.craftedsignal.io/briefs/2024-01-25-goxmlsig-loop-variable-capture/"}],"language":"en","title":"CraftedSignal Threat Feed - Goxmlsig","version":"https://jsonfeed.org/version/1.1"}