Lucene search
K

499 matches found

Cvelist
Cvelist
added 2023/10/20 9:23 a.m.20 views

CVE-2023-44483 Apache Santuario: Private Key disclosure in debug-log output

All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to...

6.9AI score0.01212EPSS
Exploits0References2
CNNVD
CNNVD
added 2023/10/20 12:0 a.m.4 views

Apache Santuario Log Information Disclosure Vulnerability

Apache Santuario is a set of major security standards for implementing XML from the Apache Foundation in the U.S. It contains two libraries: Apache XML Security for Java and Apache XML Security for C++. Apache Santuario suffers from a log message disclosure vulnerability that stems from the...

6.5CVSS5.6AI score0.01212EPSS
Exploits0References11
UbuntuCve
UbuntuCve
added 2023/10/20 12:0 a.m.48 views

CVE-2023-44483

All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to...

6.5CVSS6.7AI score0.01212EPSS
Exploits0References3
OSV
OSV
added 2023/08/31 9:47 p.m.139 views

GHSA-WC9J-GC65-3CM7 DDFFileParser is vulnerable to XXE Attacks

Impact DDFFileParser and DefaultDDFFileValidator and so ObjectLoader are vulnerable to XXE AttacksProcessing. DDF file is a LWM2M format used to store LWM2M object description. Leshan users are impacted only if they parse untrusted DDF files e.g. if they let external users provide their own model...

6.5CVSS7.6AI score0.00568EPSS
Exploits0References7
Veracode
Veracode
added 2023/05/30 1:14 p.m.22 views

Arbitrary Code Execution

ruby-saml is vulnerable to Arbitrary Code Execution. The vulnerability exists due to a lack of using prepared statements in xmlsecurity.rb which allow an attacker to execute arbitrary codes into the system...

9.8CVSS7.5AI score0.01332EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2023/05/27 9:30 p.m.32 views

GHSA-R364-2PJ4-PF7F ruby-saml vulnerable to XPath injection

xmlsecurity.rb in the ruby-saml gem before 1.0.0 for Ruby allows XPath injection and code execution because prepared statements are not used...

9.8CVSS9.8AI score0.01332EPSS
Exploits0References9
CNNVD
CNNVD
added 2023/05/27 12:0 a.m.7 views

OneLogin ruby-saml 命令注入漏洞

Onelogin OneLogin ruby-saml is a Ruby-based SAML Security Assertion Markup Language library for Single Sign-On SSO services from Onelogin, USA. A security vulnerability exists in OneLogin ruby-saml prior to version 1.0.0, which stems from not using pre-defined statements, causing xmlsecurity.rb i...

9.8CVSS8.5AI score0.01332EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2023/05/27 12:0 a.m.5 views

PT-2023-10309 · Ruby · Ruby-Saml

Name of the Vulnerable Software and Affected Versions: ruby-saml gem versions prior to 1.0.0 Description: The issue allows XPath injection and code execution in the ruby-saml gem because prepared statements are not used. This is related to the xml security.rb file. Recommendations: For versions...

9.8CVSS7.7AI score0.01332EPSS
Exploits0References18
CVE
CVE
added 2023/05/27 12:0 a.m.66 views

CVE-2015-20108

The CVE-2015-20108 issue affects the ruby-saml gem prior to 1.0.0, where xml_security.rb enables XPath injection and code execution because prepared statements are not used. Affected component: ruby-saml XML security handling. Root cause: lack of prepared statements in XPath processing leads to i...

9.8CVSS9.8AI score0.01332EPSS
Exploits0References5Affected Software1
Tenable Nessus
Tenable Nessus
added 2023/04/20 12:0 a.m.38 views

Oracle Application Testing Suite (Apr 2023 CPU)

The version of Oracle Application Testing Suite installed on the remote host is affected by multiple vulnerabilities as referenced in the April 2023 CPU advisory: - Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager component: Load Testing for Web Apps Apac...

7.5CVSS6.8AI score0.10448EPSS
Exploits0References5
IBM Security Bulletins
IBM Security Bulletins
added 2023/03/13 4:26 p.m.36 views

Security Bulletin: IBM Sterling B2B Integrator vulnerable to security bypass due to Apache Santuario XML Security for Java (CVE-2021-40690, CVE-2014-8152)

Summary BM Sterling B2B Integrator has addressed the secuirty vulnerabilities in Apache Santurio XML Security. Vulnerability Details CVEID:CVE-2021-40690 DESCRIPTION: Apache Santuario XML Security for Java could allow a remote attacker to bypass security restrictions, caused by the improper passi...

7.5CVSS7.5AI score0.10448EPSS
Exploits0Affected Software1
OpenVAS
OpenVAS
added 2023/03/08 12:0 a.m.13 views

Debian: Security Advisory (DLA-85-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

4.3CVSS7.6AI score0.0593EPSS
Exploits1References2
F5 Networks
F5 Networks
added 2023/02/21 6:33 p.m.30 views

K58530825: Apache CXF vulnerability CVE-2017-5653

Security Advisory Description JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers. CVE-2017-5653 Impact There is no impact; F5 products are not affected by th...

5.3CVSS5.7AI score0.11167EPSS
Exploits0
SUSE CVE
SUSE CVE
added 2023/02/15 5:53 a.m.4 views

SUSE CVE-2011-1425

xslt.c in XML Security Library aka xmlsec before 1.2.17, as used in WebKit and other products, when XSLT is enabled, allows remote attackers to create or overwrite arbitrary files via vectors involving the libxslt output extension and a ds:Transform element during signature verification...

5.1CVSS6.8AI score0.08057EPSS
Exploits0References4
SUSE CVE
SUSE CVE
added 2023/02/15 5:16 a.m.9 views

SUSE CVE-2015-5161

The ZendXmlSecurity::scan in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity XXE and XML entity expansion XEE...

6.8CVSS7.1AI score0.09911EPSS
Exploits7References4
SUSE CVE
SUSE CVE
added 2023/02/15 4:11 a.m.5 views

SUSE CVE-2019-12400

In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this...

5.5CVSS6.7AI score0.00776EPSS
Exploits0References2
BDU FSTEC
BDU FSTEC
added 2023/01/31 12:0 a.m.6 views

The vulnerability of the XML security component of the Oracle Web Services Manager application on the Oracle Fusion Middleware software platform allows a perpetrator to gain unauthorized access to protected data or to modify, add, or delete protected data.

The vulnerability of the XML Security component of the Oracle Web Services Manager application in the Oracle Fusion Middleware software platform is related to insufficient validation of input data. Exploiting this vulnerability may allow an attacker to gain unauthorized access to protected data o...

9.4CVSS7.6AI score0.00573EPSS
Exploits0References2Affected Software1
Prion
Prion
added 2023/01/18 6:15 p.m.35 views

Remote code execution

Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec aka XML Security for Java 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain...

7.5CVSS9.7AI score0.99753EPSS
Exploits15References10Affected Software23
NVD
NVD
added 2023/01/18 12:15 a.m.21 views

CVE-2023-21862

Vulnerability in the Oracle Web Services Manager product of Oracle Fusion Middleware component: XML Security component. The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web...

8.1CVSS7.8AI score0.00573EPSS
Exploits0References1
Prion
Prion
added 2023/01/18 12:15 a.m.15 views

Design/Logic Flaw

Vulnerability in the Oracle Web Services Manager product of Oracle Fusion Middleware component: XML Security component. The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web...

5.8CVSS8.1AI score0.00573EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder