All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.
{
"unresolved_ranges": [
{
"source": "CPE_RANGE",
"cpes": [
"cpe:2.3:a:oracle:communications_diameter_intelligence_hub:*:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "8.0.0"
},
{
"last_affected": "8.1.0"
},
{
"introduced": "8.2.0"
},
{
"last_affected": "8.2.3"
}
],
"vendor_product": "oracle:communications_diameter_intelligence_hub"
},
{
"cpes": [
"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"extracted_events": [
{
"last_affected": "9.0"
},
{
"last_affected": "10.0"
},
{
"last_affected": "11.0"
}
],
"vendor_product": "debian:debian_linux"
},
{
"source": "CPE_STRING",
"cpes": [
"cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"last_affected": "9.3.6"
}
],
"vendor_product": "oracle:agile_plm"
},
{
"source": "CPE_STRING",
"cpes": [
"cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"last_affected": "11.3.2"
}
],
"vendor_product": "oracle:commerce_guided_search"
},
{
"source": "CPE_STRING",
"cpes": [
"cpe:2.3:a:oracle:commerce_platform:11.3.2:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"last_affected": "11.3.2"
}
],
"vendor_product": "oracle:commerce_platform"
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"extracted_events": [
{
"last_affected": "8.1"
}
],
"vendor_product": "oracle:communications_messaging_server"
},
{
"cpes": [
"cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"extracted_events": [
{
"last_affected": "12.1.0"
}
],
"vendor_product": "oracle:flexcube_private_banking"
},
{
"cpes": [
"cpe:2.3:a:oracle:outside_in_technology:8.5.5:*:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"extracted_events": [
{
"last_affected": "8.5.5"
}
],
"vendor_product": "oracle:outside_in_technology"
},
{
"source": "CPE_STRING",
"cpes": [
"cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"last_affected": "8.58"
},
{
"last_affected": "8.59"
}
],
"vendor_product": "oracle:peoplesoft_enterprise_peopletools"
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_bulk_data_integration:16.0.3:*:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"extracted_events": [
{
"last_affected": "16.0.3"
}
],
"vendor_product": "oracle:retail_bulk_data_integration"
},
{
"source": "CPE_STRING",
"cpes": [
"cpe:2.3:a:oracle:retail_financial_integration:14.1.3.2:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:retail_financial_integration:15.0.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:retail_financial_integration:16.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:retail_financial_integration:19.0.1:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"last_affected": "14.1.3.2"
},
{
"last_affected": "15.0.3.1"
},
{
"last_affected": "16.0.3"
},
{
"last_affected": "19.0.1"
}
],
"vendor_product": "oracle:retail_financial_integration"
},
{
"source": "CPE_STRING",
"cpes": [
"cpe:2.3:a:oracle:retail_integration_bus:14.1.3.2:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:retail_integration_bus:15.0.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:retail_integration_bus:16.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:retail_integration_bus:19.0.1:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"last_affected": "14.1.3.2"
},
{
"last_affected": "15.0.3.1"
},
{
"last_affected": "16.0.3"
},
{
"last_affected": "19.0.1"
}
],
"vendor_product": "oracle:retail_integration_bus"
},
{
"source": "CPE_STRING",
"cpes": [
"cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:retail_merchandising_system:19.0.1:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"last_affected": "16.0.3"
},
{
"last_affected": "19.0.1"
}
],
"vendor_product": "oracle:retail_merchandising_system"
},
{
"source": "CPE_STRING",
"cpes": [
"cpe:2.3:a:oracle:retail_service_backbone:14.1.3.2:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:retail_service_backbone:15.0.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:retail_service_backbone:16.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:retail_service_backbone:19.0.1:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"last_affected": "14.1.3.2"
},
{
"last_affected": "15.0.3.1"
},
{
"last_affected": "16.0.3"
},
{
"last_affected": "19.0.1"
}
],
"vendor_product": "oracle:retail_service_backbone"
},
{
"cpes": [
"cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"extracted_events": [
{
"last_affected": "12.2.1.4.0"
},
{
"last_affected": "14.1.1.0.0"
}
],
"vendor_product": "oracle:weblogic_server"
}
]
}{
"source": "CPE_STRING",
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "3.4.4"
}
],
"cpe": "cpe:2.3:a:apache:cxf:3.4.4:*:*:*:*:*:*:*"
}{
"source": "CPE_RANGE",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "2.1.7"
},
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"cpe": "cpe:2.3:a:apache:santuario_xml_security_for_java:*:*:*:*:*:*:*:*"
}