Lucene search

[email protected]CVE-2013-2172

HistoryAug 20, 2013 - 10:55 p.m.

CVE-2013-2172

2013-08-2022:55:04

CWE-310

[email protected]

web.nvd.nist.gov

apache santuario xml security

java

cve-2013-2172

xml signature

spoofing

vulnerability

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

5.9 Medium

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

76.2%

JSON

jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak “canonicalization algorithm to apply to the SignedInfo part of the Signature.”

Affected configurations

NVD

Node

apachesantuario_xml_security_for_javaMatch1.4.7

apachesantuario_xml_security_for_javaMatch1.5.0

apachesantuario_xml_security_for_javaMatch1.5.1

apachesantuario_xml_security_for_javaMatch1.5.2

apachesantuario_xml_security_for_javaMatch1.5.3

apachesantuario_xml_security_for_javaMatch1.5.4

CPENameOperatorVersion
apache:santuario_xml_security_for_javaapache santuario xml security for javaeq1.4.7
apache:santuario_xml_security_for_javaapache santuario xml security for javaeq1.5.0
apache:santuario_xml_security_for_javaapache santuario xml security for javaeq1.5.1
apache:santuario_xml_security_for_javaapache santuario xml security for javaeq1.5.2
apache:santuario_xml_security_for_javaapache santuario xml security for javaeq1.5.3
apache:santuario_xml_security_for_javaapache santuario xml security for javaeq1.5.4

CPE	Name	Operator	Version
apache:santuario_xml_security_for_java	apache santuario xml security for java	eq	1.4.7
apache:santuario_xml_security_for_java	apache santuario xml security for java	eq	1.5.0
apache:santuario_xml_security_for_java	apache santuario xml security for java	eq	1.5.1
apache:santuario_xml_security_for_java	apache santuario xml security for java	eq	1.5.2
apache:santuario_xml_security_for_java	apache santuario xml security for java	eq	1.5.3
apache:santuario_xml_security_for_java	apache santuario xml security for java	eq	1.5.4

References

rhn.redhat.com/errata/RHSA-2013-1207.html

rhn.redhat.com/errata/RHSA-2013-1208.html

rhn.redhat.com/errata/RHSA-2013-1209.html

rhn.redhat.com/errata/RHSA-2013-1217.html

rhn.redhat.com/errata/RHSA-2013-1218.html

rhn.redhat.com/errata/RHSA-2013-1219.html

rhn.redhat.com/errata/RHSA-2013-1220.html

rhn.redhat.com/errata/RHSA-2013-1375.html

rhn.redhat.com/errata/RHSA-2013-1437.html

rhn.redhat.com/errata/RHSA-2013-1853.html

rhn.redhat.com/errata/RHSA-2014-0212.html

santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc

seclists.org/fulldisclosure/2014/Dec/23

secunia.com/advisories/54019

svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876&r2=1493772&pathrev=1493772&diff_format=h

www.debian.org/security/2014/dsa-3065

www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

www.osvdb.org/94651

www.securityfocus.com/archive/1/534161/100/0/threaded

www.securityfocus.com/bid/60846

www.ubuntu.com/usn/USN-2028-1

www.vmware.com/security/advisories/VMSA-2014-0012.html

lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E

lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E