CVE-2023-34205: 
vulnerability analysis and mitigation

In Moov signedxml through version 1.0.0, there exists a security vulnerability where parsing raw XML (as received) can result in different output compared to parsing canonicalized XML. This vulnerability allows signature validation to be bypassed through a Signature Wrapping attack (XSW). The vulnerability was disclosed with identifier CVE-2023-34205 and was published on May 30, 2023 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 9.1 CRITICAL with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. The vulnerability is classified under CWE-347 (Improper Verification of Cryptographic Signature) (NVD).

The vulnerability allows attackers to bypass signature validation through Signature Wrapping attacks, potentially compromising the integrity and authenticity of signed XML documents. This could lead to unauthorized modifications being accepted as valid, affecting both confidentiality and integrity of the system (NVD).

Users should upgrade to a version newer than 1.0.0 when available. The vulnerability was reported through GitHub Issues, indicating awareness of the security issue by the development team (GitHub Issue).