[GHSA-479m-364c-43vc] validateSignature Loop Variable Capture Signature Bypass in goxmldsig#7193
Conversation
|
Hi there @russellhaering! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
bot
changed the base branch from
main
to
tomasilluminati/advisory-improvement-7193
|
👋 Hi @tomasilluminati, GitHub's CNA scope limits GitHub to "CVEs requested by code owners using the GitHub Security Advisories feature" (emphasis mine). In order for GitHub to issue a CVE, @russellhaering would need to follow the instructions from this document to go through the CVE request process. If he doesn't want to get a CVE from GitHub, you'll need to pursue CVE assignment from a different CNA. |
|
Hey, I actually assumed this would be assigned a CVE and am happy to endorse that. I’ll see if I can find a button to do that now that it’s already published. |
|
@russellhaering Thank you very much. I’m sorry for dont reaching out directly, I didn’t have the chance to mention it via the GHSA, and a colleague recommended this as the best way to contact you. So I’d be more than happy if the CVE could be carried out. Let me know if there's anything I can do to help |
|
I’ve now seen the CVE assignment, thank you very much, @russellhaering . I hope we can work together again in the future. I’ll let you know @shelbyc in due course whether the GHSA or anything else needs to be updated in GHSA-479m-364c-43vc for example the unknown CVE. Best regards to all. |
advisory-database
bot
merged commit 6986373
into
tomasilluminati/advisory-improvement-7193
|
Hi @tomasilluminati! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
|
The global advisory GHSA-479m-364c-43vc is now updated to show CVE-2026-33487. Thank you both for your communication and teamwork! 🤝 |
4 participants
Updates
Comments
I am the reporter of this vulnerability. While the GHSA is active and the fix is available in v1.6.0, I am requesting the assignment of a CVE identifier. Given that this is a signature bypass (High severity 7.5) in a core XML digital signature library for Go, I believe that a CVE is important for standardized tracking in industrial vulnerability scanners and compliance audits. This will ensure better visibility and protection for the wider ecosystem. And I have performed a minor correction by removing backticks from the 'Details' section. This ensures better processing and more accurate indexing by automated vulnerability management systems and search engines.