498 matches found
CVE-2023-49087 Validation of SignedInfo
xml-security is a library that implements XML signatures and encryption. Validation of an XML signature requires verification that the hash value of the related XML-document matches a specific DigestValue-value, but also that the cryptographic signature on the SignedInfo-tree the one that contain...
xml-security Data Forgery Issue Vulnerability
xml-security is SimpleSAMLphp open source library. xml-security version 1.6.11, saml2 5.0.0-alpha.13 version of the data forgery problem vulnerability , the vulnerability stems from the XML signature validation needs to verify that the hash value of the XML document in question matches a specific...
Improper Signature Validation
simplesamlphp/xml-security and simplesamlphp/saml2 are vulnerable to Improper Signature Validation. The vulnerability is due to a lack of proper signature validation in the validateReference method. This could lead to the forging of digital signatures...
GHSA-WW7X-3GXH-QM6R Validation of SignedInfo
Validation of an XML Signature requires verification that the hash value of the related XML-document after any optional transformations and/or normalizations matches a specific DigestValue-value, but also that the cryptografic signature on the SignedInfo-tree the one that contains the DigestValue...
PT-2023-8931 · Php +1 · Php +1
Name of the Vulnerable Software and Affected Versions: simplesamlphp/xml-security versions prior to 1.6.12 simplesamlphp/xml-security versions prior to 5.0.0-alpha.13 Description: The issue is related to insufficient validation of XML signatures, which could allow a remote attacker to forge SAML...
Third-Party Dependency in Bitbucket Data Center and Server
This High severity Third-Party Dependency vulnerability was introduced in version 7.21.0 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N allows an unauthenticated attacker to...
The vulnerability of the XML data security platform in Java applications arises from XML Apache Santuario. This issue is related to errors in transmitting the “secureValidation” property during the creation of a KeyInfo object from a KeyInfoReference element. This vulnerability allows attackers to gain access to any .xml files.
The vulnerability of the XML data security platform in Java applications is related to errors in transmitting the “secureValidation” property during the creation of a KeyInfo object from a KeyInfoReference element. Exploiting this vulnerability can allow an attacker, operating remotely, to gain...
CVE-2023-44483
All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to...
Information Disclosure
Apache Santuario - XML Security is vulnerable to Information Disclosure. The vulnerability is due to a key exposed as a part of debug log when debug level is enabled. This can lead to Information Disclosure if an attacker has access to the logs...
Amazon Linux AMI : apache-ivy (ALAS-2023-1863)
The version of apache-ivy installed on the remote host is prior to 2.2.0-5.2. It is, therefore, affected by a vulnerability as referenced in the ALAS-2023-1863 advisory. Improper Restriction of XML External Entity Reference, XML Injection aka Blind XPath Injection vulnerability in Apache Software...
com.github.wmixvideo:nfe (>=3.1.40 <=4.0.41), com.github.zuinnote:hadoopoffice-flinkts_2.11 (=1.7.0) +239 more potentially affected by CVE-2023-44483 via org.apache.santuario:xmlsec (>=3.0.0 <=3.0.2)
org.apache.santuario:xmlsec MAVEN version =3.0.0, =3.1.40, =2022.5.1, =2022.5.1, =2022.5.1, =2022.5.1, =2022.5.1, =2.1.0, =2.0.0, =2.0.0, =2.0.0, =2.4.0 and more Source cves: CVE-2023-44483 Source advisory: OSV:GHSA-XFRJ-6VVC-3XM2...
Apache Santuario - XML Security for Java are vulnerable to private key disclosure
All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to...
CVE-2023-44483
All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to...
CVE-2023-44483
All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to...
Code injection
All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to...
UBUNTU-CVE-2023-44483
All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to...
CVE-2023-44483
CVE-2023-44483 affects Apache Santuario – XML Security for Java; all versions prior to 2.2.6, 2.3.4, and 3.0.3 are vulnerable when using the JSR 105 API. The issue can disclose a private key in log files during XML Signature generation if debug logging is enabled, impacting confidentiality. Remed...
CVE-2023-44483 Apache Santuario: Private Key disclosure in debug-log output
All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to...
CVE-2023-44483 Apache Santuario: Private Key disclosure in debug-log output
All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to...
CVE-2023-44483
All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to...