XML-Sig Perl Module Signature Validation Vulnerability
Vulnerability
A vulnerability exists in XML-Sig versions 0.27 to 0.67 for Perl, where the module improperly validates XML files in the absence of signatures. This flaw allows an attacker to remove the signature from an XML document, enabling it to pass verification checks. Normally, an unsigned XML file should trigger an error, but the affected versions incorrectly validate such files as signed.
Impact
Exploitation of this vulnerability leads to incorrect validation of unsigned XML files, allowing them to be falsely accepted as valid.
Reproduction
The vulnerability can be reproduced by using the XML::Sig Perl module to verify an XML document that lacks a signature. The module will incorrectly report the signature as valid, despite the absence of a signature, indicating a flaw in the validation process.
Remediation
Users can upgrade to XML-Sig version 0.68 or later, where this vulnerability has been addressed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.