Bug 47527

Summary: XML signature HMAC truncation authentication bypass
Product: Security - Now in JIRA Reporter: Scott Cantor <cantor.2>
Component: C++ SignatureAssignee: XML Security Developers Mailing List <security-dev>
Status: CLOSED FIXED    
Severity: blocker    
Priority: P1    
Version: C++ 1.5.0   
Target Milestone: ---   
Hardware: All   
OS: All   
URL: http://www.kb.cert.org/vuls/id/466161

Description Scott Cantor 2009-07-14 11:59:37 UTC 
Apache XML Security (C++) is affected by the vulnerability published in US-Cert VU #466161. See: http://www.kb.cert.org/vuls/id/466161 for more information. This bug can allow an attacker to bypass authentication by inserting/modifying a small HMAC truncation length parameter in the XML Signature HMAC based SignatureMethod algorithms.
Comment 1 Scott Cantor 2009-07-14 12:04:35 UTC 
Fix in svn, will be released in 1.5.1.