Bug 2451814 (CVE-2026-33487)
| Summary: | CVE-2026-33487 github.com/russellhaering/goxmldsig: goxmlsig: Integrity bypass due to incorrect XML Digital Signature validation via loop variable capture issue | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | alcohan, anjoseph, gparvin, jbalunas, jprabhak, lchilton, pahickey, rhaigner, sfeifer, wtam |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in goxmlsig, a Go library for XML Digital Signatures. This vulnerability arises from a programming error, specifically a loop variable capture issue, within the `validateSignature` function. When processing XML Digital Signatures, this error can cause the system to incorrectly validate the signature, potentially allowing an attacker to bypass integrity checks. This issue affects Go versions before 1.22 or projects using older `go.mod` configurations.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2452363 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2026-03-26 18:02:55 UTC
|