Total
5 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-40690 | 3 Apache, Debian, Oracle | 18 Cxf, Santuario Xml Security For Java, Tomee and 15 more | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element. | |||||
CVE-2019-12400 | 3 Apache, Oracle, Redhat | 3 Santuario Xml Security For Java, Weblogic Server, Jboss Enterprise Application Platform | 2024-02-04 | 1.9 LOW | 5.5 MEDIUM |
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x releases before 2.1.4. | |||||
CVE-2014-8152 | 1 Apache | 1 Santuario Xml Security For Java | 2024-02-04 | 5.0 MEDIUM | N/A |
Apache Santuario XML Security for Java 2.0.x before 2.0.3 allows remote attackers to bypass the streaming XML signature protection mechanism via a crafted XML document. | |||||
CVE-2013-4517 | 1 Apache | 1 Santuario Xml Security For Java | 2024-02-04 | 4.3 MEDIUM | N/A |
Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures. | |||||
CVE-2013-2172 | 1 Apache | 1 Santuario Xml Security For Java | 2024-02-04 | 4.3 MEDIUM | N/A |
jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature." |