{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-32962", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-22T15:14:59.164Z", "datePublished": "2024-05-02T06:48:55.906Z", "dateUpdated": "2025-02-13T17:52:18.895Z"}, "containers": {"cna": {"title": "XML signature verification bypass due improper verification of signature / signature spoofing", "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "lang": "en", "description": "CWE-347: Improper Verification of Cryptographic Signature", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v"}, {"name": "https://github.com/node-saml/xml-crypto/pull/301", "tags": ["x_refsource_MISC"], "url": "https://github.com/node-saml/xml-crypto/pull/301"}, {"name": "https://github.com/node-saml/xml-crypto/pull/445", "tags": ["x_refsource_MISC"], "url": "https://github.com/node-saml/xml-crypto/pull/445"}, {"name": "https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000", "tags": ["x_refsource_MISC"], "url": "https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000"}, {"name": "https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca", "tags": ["x_refsource_MISC"], "url": "https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca"}, {"name": "https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation", "tags": ["x_refsource_MISC"], "url": "https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation"}, {"url": "https://security.netapp.com/advisory/ntap-20240705-0003/"}], "affected": [{"vendor": "node-saml", "product": "xml-crypto", "versions": [{"version": ">= 4.0.0, < 6.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-05T16:05:57.815Z"}, "descriptions": [{"lang": "en", "value": "xml-crypto is an xml digital signature and encryption library for Node.js. In affected versions the default configuration does not check authorization of the signer, it only checks the validity of the signature per section 3.2.2 of the w3 xmldsig-core-20080610 spec. As such, without additional validation steps, the default configuration allows a malicious actor to re-sign an XML document, place the certificate in a `<KeyInfo />` element, and pass `xml-crypto` default validation checks. As a result `xml-crypto` trusts by default any certificate provided via digitally signed XML document's `<KeyInfo />`. `xml-crypto` prefers to use any certificate provided via digitally signed XML document's `<KeyInfo />` even if library was configured to use specific certificate (`publicCert`) for signature verification purposes. An attacker can spoof signature verification by modifying XML document and replacing existing signature with signature generated with malicious private key (created by attacker) and by attaching that private key's certificate to `<KeyInfo />` element. This vulnerability is combination of changes introduced to `4.0.0` on pull request 301 / commit `c2b83f98` and has been addressed in version 6.0.0 with pull request 445 / commit `21201723d`. Users are advised to upgrade. Users unable to upgrade may either check the certificate extracted via `getCertFromKeyInfo` against trusted certificates before accepting the results of the validation or set `xml-crypto's getCertFromKeyInfo` to `() => undefined` forcing `xml-crypto` to use an explicitly configured `publicCert` or `privateKey` for signature verification."}], "source": {"advisory": "GHSA-2xp3-57p7-qf4v", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "node_saml_project", "product": "xml_crypto", "cpes": ["cpe:2.3:a:node_saml_project:xml_crypto:4.0.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "4.0.0", "status": "affected", "lessThan": "6.0.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-19T15:03:41.921164Z", "id": "CVE-2024-32962", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-19T15:09:38.365Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:27:52.348Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v"}, {"name": "https://github.com/node-saml/xml-crypto/pull/301", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/node-saml/xml-crypto/pull/301"}, {"name": "https://github.com/node-saml/xml-crypto/pull/445", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/node-saml/xml-crypto/pull/445"}, {"name": "https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000"}, {"name": "https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca"}, {"name": "https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation"}, {"url": "https://security.netapp.com/advisory/ntap-20240705-0003/", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v", "name": "https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/node-saml/xml-crypto/pull/301", "name": "https://github.com/node-saml/xml-crypto/pull/301", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/node-saml/xml-crypto/pull/445", "name": "https://github.com/node-saml/xml-crypto/pull/445", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000", "name": "https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca", "name": "https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation", "name": "https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240705-0003/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:27:52.348Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32962", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-19T15:03:41.921164Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:node_saml_project:xml_crypto:4.0.0:*:*:*:*:*:*:*"], "vendor": "node_saml_project", "product": "xml_crypto", "versions": [{"status": "affected", "version": "4.0.0", "lessThan": "6.0.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-19T15:09:22.381Z"}}], "cna": {"title": "XML signature verification bypass due improper verification of signature / signature spoofing", "source": {"advisory": "GHSA-2xp3-57p7-qf4v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "node-saml", "product": "xml-crypto", "versions": [{"status": "affected", "version": ">= 4.0.0, < 6.0.0"}]}], "references": [{"url": "https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v", "name": "https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/node-saml/xml-crypto/pull/301", "name": "https://github.com/node-saml/xml-crypto/pull/301", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/node-saml/xml-crypto/pull/445", "name": "https://github.com/node-saml/xml-crypto/pull/445", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000", "name": "https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca", "name": "https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca", "tags": ["x_refsource_MISC"]}, {"url": "https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation", "name": "https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation", "tags": ["x_refsource_MISC"]}, {"url": "https://security.netapp.com/advisory/ntap-20240705-0003/"}], "descriptions": [{"lang": "en", "value": "xml-crypto is an xml digital signature and encryption library for Node.js. In affected versions the default configuration does not check authorization of the signer, it only checks the validity of the signature per section 3.2.2 of the w3 xmldsig-core-20080610 spec. As such, without additional validation steps, the default configuration allows a malicious actor to re-sign an XML document, place the certificate in a `<KeyInfo />` element, and pass `xml-crypto` default validation checks. As a result `xml-crypto` trusts by default any certificate provided via digitally signed XML document's `<KeyInfo />`. `xml-crypto` prefers to use any certificate provided via digitally signed XML document's `<KeyInfo />` even if library was configured to use specific certificate (`publicCert`) for signature verification purposes. An attacker can spoof signature verification by modifying XML document and replacing existing signature with signature generated with malicious private key (created by attacker) and by attaching that private key's certificate to `<KeyInfo />` element. This vulnerability is combination of changes introduced to `4.0.0` on pull request 301 / commit `c2b83f98` and has been addressed in version 6.0.0 with pull request 445 / commit `21201723d`. Users are advised to upgrade. Users unable to upgrade may either check the certificate extracted via `getCertFromKeyInfo` against trusted certificates before accepting the results of the validation or set `xml-crypto's getCertFromKeyInfo` to `() => undefined` forcing `xml-crypto` to use an explicitly configured `publicCert` or `privateKey` for signature verification."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-347", "description": "CWE-347: Improper Verification of Cryptographic Signature"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-05T16:05:57.815Z"}}}, "cveMetadata": {"cveId": "CVE-2024-32962", "state": "PUBLISHED", "dateUpdated": "2025-02-13T17:52:18.895Z", "dateReserved": "2024-04-22T15:14:59.164Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-05-02T06:48:55.906Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "xml-crypto is an xml digital signature and encryption library for Node.js. In affected versions the default configuration does not check authorization of the signer, it only checks the validity of the signature per section 3.2.2 of the w3 xmldsig-core-20080610 spec. As such, without additional validation steps, the default configuration allows a malicious actor to re-sign an XML document, place the certificate in a `<KeyInfo />` element, and pass `xml-crypto` default validation checks. As a result `xml-crypto` trusts by default any certificate provided via digitally signed XML document's `<KeyInfo />`. `xml-crypto` prefers to use any certificate provided via digitally signed XML document's `<KeyInfo />` even if library was configured to use specific certificate (`publicCert`) for signature verification purposes. An attacker can spoof signature verification by modifying XML document and replacing existing signature with signature generated with malicious private key (created by attacker) and by attaching that private key's certificate to `<KeyInfo />` element. This vulnerability is combination of changes introduced to `4.0.0` on pull request 301 / commit `c2b83f98` and has been addressed in version 6.0.0 with pull request 445 / commit `21201723d`. Users are advised to upgrade. Users unable to upgrade may either check the certificate extracted via `getCertFromKeyInfo` against trusted certificates before accepting the results of the validation or set `xml-crypto's getCertFromKeyInfo` to `() => undefined` forcing `xml-crypto` to use an explicitly configured `publicCert` or `privateKey` for signature verification."}, {"lang": "es", "value": "xml-crypto es una librer\u00eda de cifrado y firma digital xml para Node.js. En las versiones afectadas, la configuraci\u00f3n predeterminada no verifica la autorizaci\u00f3n del firmante, solo verifica la validez de la firma seg\u00fan la secci\u00f3n 3.2.2 de la especificaci\u00f3n w3 xmldsig-core-20080610. Como tal, sin pasos de validaci\u00f3n adicionales, la configuraci\u00f3n predeterminada permite a un actor malintencionado volver a firmar un documento XML, colocar el certificado en un elemento `` y pasar las comprobaciones de validaci\u00f3n predeterminadas `xml-crypto`. Como resultado, `xml-crypto` conf\u00eda de forma predeterminada en cualquier certificado proporcionado a trav\u00e9s de `` del documento XML firmado digitalmente. `xml-crypto` prefiere usar cualquier certificado proporcionado a trav\u00e9s de `` del documento XML firmado digitalmente, incluso si la librer\u00eda se configur\u00f3 para usar un certificado espec\u00edfico (`publicCert`) para fines de verificaci\u00f3n de firma. Un atacante puede falsificar la verificaci\u00f3n de la firma modificando el documento XML y reemplazando la firma existente con una firma generada con una clave privada maliciosa (creada por el atacante) y adjuntando el certificado de esa clave privada al elemento ``. Esta vulnerabilidad es una combinaci\u00f3n de cambios introducidos en `4.0.0` en la solicitud de extracci\u00f3n 301/compromiso `c2b83f98` y se ha solucionado en la versi\u00f3n 6.0.0 con la solicitud de extracci\u00f3n 445/compromiso `21201723d`. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar pueden verificar el certificado extra\u00eddo a trav\u00e9s de `getCertFromKeyInfo` con certificados confiables antes de aceptar los resultados de la validaci\u00f3n o configurar `xml-crypto's getCertFromKeyInfo` en `() =&gt; undefinido`, forzando a `xml-crypto` a usar un m\u00e9todo expl\u00edcito configurar `publicCert` o `privateKey` para la verificaci\u00f3n de firma."}], "id": "CVE-2024-32962", "lastModified": "2024-11-21T09:16:07.340", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-05-02T07:15:21.420", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000"}, {"source": "security-advisories@github.com", "url": "https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca"}, {"source": "security-advisories@github.com", "url": "https://github.com/node-saml/xml-crypto/pull/301"}, {"source": "security-advisories@github.com", "url": "https://github.com/node-saml/xml-crypto/pull/445"}, {"source": "security-advisories@github.com", "url": "https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v"}, {"source": "security-advisories@github.com", "url": "https://security.netapp.com/advisory/ntap-20240705-0003/"}, {"source": "security-advisories@github.com", "url": "https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/node-saml/xml-crypto/pull/301"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/node-saml/xml-crypto/pull/445"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20240705-0003/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "xml-crypto: XML signature verification bypass due improper verification of signature / signature spoofing", "id": "2278798", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2278798"}, "csaw": false, "cvss3": {"cvss3_base_score": "10.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-347", "details": ["xml-crypto is an xml digital signature and encryption library for Node.js. In affected versions the default configuration does not check authorization of the signer, it only checks the validity of the signature per section 3.2.2 of the w3 xmldsig-core-20080610 spec. As such, without additional validation steps, the default configuration allows a malicious actor to re-sign an XML document, place the certificate in a `<KeyInfo />` element, and pass `xml-crypto` default validation checks. As a result `xml-crypto` trusts by default any certificate provided via digitally signed XML document's `<KeyInfo />`. `xml-crypto` prefers to use any certificate provided via digitally signed XML document's `<KeyInfo />` even if library was configured to use specific certificate (`publicCert`) for signature verification purposes. An attacker can spoof signature verification by modifying XML document and replacing existing signature with signature generated with malicious private key (created by attacker) and by attaching that private key's certificate to `<KeyInfo />` element. This vulnerability is combination of changes introduced to `4.0.0` on pull request 301 / commit `c2b83f98` and has been addressed in version 6.0.0 with pull request 445 / commit `21201723d`. Users are advised to upgrade. Users unable to upgrade may either check the certificate extracted via `getCertFromKeyInfo` against trusted certificates before accepting the results of the validation or set `xml-crypto's getCertFromKeyInfo` to `() => undefined` forcing `xml-crypto` to use an explicitly configured `publicCert` or `privateKey` for signature verification.", "A flaw was found in xml-crypto, where the default configuration lacks authorization checks for signers, only checking the signature's validity. This flaw allows malicious actors to pass a manipulated XML payload to instances of xml-crypto. By re-signing an XML document with a malicious private key and inserting the corresponding certificate into a <KeyInfo /> element, attackers can deceive xml-crypto's default validation checks, thus allowing spoofed signature verification and potentially facilitating the execution of malicious actions."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-32962", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh-hub-container", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh-operator-container", "product_name": "Red Hat Developer Hub"}], "public_date": "2024-05-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-32962\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-32962\nhttps://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v"], "statement": "Red Hat Developer Hub is not affected by this vulnerability because it does not use a vulnerable version of xml-crypto.", "threat_severity": "Critical"}