Vulnerability	Vulnerable Version
M Timing Attack signxml is a Python XML Signature and XAdES library Affected versions of this package are vulnerable to Timing Attack due to the `verify` function in `XMLVerifier`. An attacker can infer the correct HMAC used for XML signature verification by observing the time it takes to compare the computed HMAC with the provided hash. Note: This is only exploitable if X509 certificate validation is turned off and a specific HMAC shared secret is set. How to fix Timing Attack? Upgrade `signxml` to version 4.0.4 or higher.	[,4.0.4)
M Incorrect Implementation of Authentication Algorithm signxml is a Python XML Signature and XAdES library Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm due to the improper handling of signature verification settings when `require_x509` is set to false and `hmac_key` is specified. An attacker can manipulate the signature verification process by supplying a signature with an unexpected algorithm, leading to potential security breaches. Note: This is only exploitable if the user has not explicitly limited the expected signature algorithms using the `expect_config` setting in `signxml.XMLVerifier.verify` function. How to fix Incorrect Implementation of Authentication Algorithm? Upgrade `signxml` to version 4.0.4 or higher.	[,4.0.4)

Timing Attack

signxml is a Python XML Signature and XAdES library

Affected versions of this package are vulnerable to Timing Attack due to the verify function in XMLVerifier. An attacker can infer the correct HMAC used for XML signature verification by observing the time it takes to compare the computed HMAC with the provided hash.

Note: This is only exploitable if X509 certificate validation is turned off and a specific HMAC shared secret is set.

How to fix Timing Attack?

Upgrade signxml to version 4.0.4 or higher.

[,4.0.4)

Incorrect Implementation of Authentication Algorithm

signxml is a Python XML Signature and XAdES library

Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm due to the improper handling of signature verification settings when require_x509 is set to false and hmac_key is specified. An attacker can manipulate the signature verification process by supplying a signature with an unexpected algorithm, leading to potential security breaches.

Note: This is only exploitable if the user has not explicitly limited the expected signature algorithms using the expect_config setting in signxml.XMLVerifier.verify function.

How to fix Incorrect Implementation of Authentication Algorithm?

Upgrade signxml to version 4.0.4 or higher.

[,4.0.4)

Go back to all versions of this package