CVE-2020-13101

Published: Aug 24, 2020Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

In OASIS Digital Signature Services (DSS) 1.0, an attacker can control the validation outcome (i.e., trigger either a valid or invalid outcome for a valid or invalid signature) via a crafted XML signature, when the InlineXML option is used. This defeats the expectation of non-repudiation.

Affected (1)

Products: Oasis Open: Oasis Digital Signature Services

1 product

Oasis Digital Signature Services

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Oasis Open Oasis Digital Signature Services	Version 1.0

Related CWEs

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References (6)

https://www.oasis-open.org/apps/org/workgroup/dss-x/

Source: cve@mitre.org

Permissions RequiredVendor Advisory

https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=dss-x

Source: cve@mitre.org

Vendor Advisory

https://www.oasis-open.org/standards#dssv1.0

Source: cve@mitre.org

Vendor Advisory

https://www.oasis-open.org/apps/org/workgroup/dss-x/

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions RequiredVendor Advisory

https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=dss-x

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.oasis-open.org/standards#dssv1.0

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.