Bug 47527 - XML signature HMAC truncation authentication bypass
XML signature HMAC truncation authentication bypass
Status: CLOSED FIXED
Product: Security - Now in JIRA
Classification: Unclassified
Component: C++ Signature
C++ 1.5.0
All All
: P1 blocker
: ---
Assigned To: XML Security Developers Mailing List
http://www.kb.cert.org/vuls/id/466161
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2009-07-14 11:59 UTC by Scott Cantor
Modified: 2009-07-21 07:39 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Scott Cantor 2009-07-14 11:59:37 UTC
Apache XML Security (C++) is affected by the vulnerability published in US-Cert VU #466161. See: http://www.kb.cert.org/vuls/id/466161 for more information. This bug can allow an attacker to bypass authentication by inserting/modifying a small HMAC truncation length parameter in the XML Signature HMAC based SignatureMethod algorithms.
Comment 1 Scott Cantor 2009-07-14 12:04:35 UTC
Fix in svn, will be released in 1.5.1.