CVE-2021-40690

Source
https://cve.org/CVERecord?id=CVE-2021-40690
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-40690.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-40690
Aliases
Downstream
Related
Published
2021-09-19T18:15:07.223Z
Modified
2026-07-01T11:54:20.340342452Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "CPE_RANGE",
            "cpes": [
                "cpe:2.3:a:oracle:communications_diameter_intelligence_hub:*:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "introduced": "8.0.0"
                },
                {
                    "last_affected": "8.1.0"
                },
                {
                    "introduced": "8.2.0"
                },
                {
                    "last_affected": "8.2.3"
                }
            ],
            "vendor_product": "oracle:communications_diameter_intelligence_hub"
        },
        {
            "cpes": [
                "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
                "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
                "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"
            ],
            "source": "CPE_STRING",
            "extracted_events": [
                {
                    "last_affected": "9.0"
                },
                {
                    "last_affected": "10.0"
                },
                {
                    "last_affected": "11.0"
                }
            ],
            "vendor_product": "debian:debian_linux"
        },
        {
            "source": "CPE_STRING",
            "cpes": [
                "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "last_affected": "9.3.6"
                }
            ],
            "vendor_product": "oracle:agile_plm"
        },
        {
            "source": "CPE_STRING",
            "cpes": [
                "cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "last_affected": "11.3.2"
                }
            ],
            "vendor_product": "oracle:commerce_guided_search"
        },
        {
            "source": "CPE_STRING",
            "cpes": [
                "cpe:2.3:a:oracle:commerce_platform:11.3.2:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "last_affected": "11.3.2"
                }
            ],
            "vendor_product": "oracle:commerce_platform"
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*"
            ],
            "source": "CPE_STRING",
            "extracted_events": [
                {
                    "last_affected": "8.1"
                }
            ],
            "vendor_product": "oracle:communications_messaging_server"
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*"
            ],
            "source": "CPE_STRING",
            "extracted_events": [
                {
                    "last_affected": "12.1.0"
                }
            ],
            "vendor_product": "oracle:flexcube_private_banking"
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:outside_in_technology:8.5.5:*:*:*:*:*:*:*"
            ],
            "source": "CPE_STRING",
            "extracted_events": [
                {
                    "last_affected": "8.5.5"
                }
            ],
            "vendor_product": "oracle:outside_in_technology"
        },
        {
            "source": "CPE_STRING",
            "cpes": [
                "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "last_affected": "8.58"
                },
                {
                    "last_affected": "8.59"
                }
            ],
            "vendor_product": "oracle:peoplesoft_enterprise_peopletools"
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:retail_bulk_data_integration:16.0.3:*:*:*:*:*:*:*"
            ],
            "source": "CPE_STRING",
            "extracted_events": [
                {
                    "last_affected": "16.0.3"
                }
            ],
            "vendor_product": "oracle:retail_bulk_data_integration"
        },
        {
            "source": "CPE_STRING",
            "cpes": [
                "cpe:2.3:a:oracle:retail_financial_integration:14.1.3.2:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:retail_financial_integration:15.0.3.1:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:retail_financial_integration:16.0.3:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:retail_financial_integration:19.0.1:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "last_affected": "14.1.3.2"
                },
                {
                    "last_affected": "15.0.3.1"
                },
                {
                    "last_affected": "16.0.3"
                },
                {
                    "last_affected": "19.0.1"
                }
            ],
            "vendor_product": "oracle:retail_financial_integration"
        },
        {
            "source": "CPE_STRING",
            "cpes": [
                "cpe:2.3:a:oracle:retail_integration_bus:14.1.3.2:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:retail_integration_bus:15.0.3.1:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:retail_integration_bus:16.0.3:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:retail_integration_bus:19.0.1:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "last_affected": "14.1.3.2"
                },
                {
                    "last_affected": "15.0.3.1"
                },
                {
                    "last_affected": "16.0.3"
                },
                {
                    "last_affected": "19.0.1"
                }
            ],
            "vendor_product": "oracle:retail_integration_bus"
        },
        {
            "source": "CPE_STRING",
            "cpes": [
                "cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:retail_merchandising_system:19.0.1:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "last_affected": "16.0.3"
                },
                {
                    "last_affected": "19.0.1"
                }
            ],
            "vendor_product": "oracle:retail_merchandising_system"
        },
        {
            "source": "CPE_STRING",
            "cpes": [
                "cpe:2.3:a:oracle:retail_service_backbone:14.1.3.2:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:retail_service_backbone:15.0.3.1:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:retail_service_backbone:16.0.3:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:retail_service_backbone:19.0.1:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "last_affected": "14.1.3.2"
                },
                {
                    "last_affected": "15.0.3.1"
                },
                {
                    "last_affected": "16.0.3"
                },
                {
                    "last_affected": "19.0.1"
                }
            ],
            "vendor_product": "oracle:retail_service_backbone"
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*"
            ],
            "source": "CPE_STRING",
            "extracted_events": [
                {
                    "last_affected": "12.2.1.4.0"
                },
                {
                    "last_affected": "14.1.1.0.0"
                }
            ],
            "vendor_product": "oracle:weblogic_server"
        }
    ]
}
References

Affected packages

Git
github.com/apache/cxf

Affected ranges

Type
GIT
Repo
https://github.com/apache/cxf
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "source": "CPE_STRING",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.4.4"
        }
    ],
    "cpe": "cpe:2.3:a:apache:cxf:3.4.4:*:*:*:*:*:*:*"
}

Affected versions

cxf-2.*
cxf-2.1
cxf-2.1.2
cxf-2.2
cxf-2.2.1
cxf-2.2.2
cxf-2.3.0
cxf-2.4.0
cxf-2.5.0
cxf-2.5.1
cxf-2.6.0
cxf-2.6.1
cxf-2.7.0
cxf-2.7.1
cxf-2.7.2
cxf-3.*
cxf-3.0.0
cxf-3.0.0-milestone2
cxf-3.1.0
cxf-3.1.1
cxf-3.1.2
cxf-3.1.3
cxf-3.1.4
cxf-3.2.0
cxf-3.2.1
cxf-3.2.2
cxf-3.2.3
cxf-3.2.4
cxf-3.2.5
cxf-3.3.0
cxf-3.3.1
cxf-3.3.2
cxf-3.3.3
cxf-3.4.0
cxf-3.4.1
cxf-3.4.2
cxf-3.4.3
cxf-3.4.4

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-40690.json"
github.com/apache/santuario-xml-security-java

Affected ranges

Type
GIT
Repo
https://github.com/apache/santuario-xml-security-java
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Introduced
Fixed
Database specific
{
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.1.7"
        },
        {
            "introduced": "2.2.0"
        },
        {
            "fixed": "2.2.3"
        }
    ],
    "cpe": "cpe:2.3:a:apache:santuario_xml_security_for_java:*:*:*:*:*:*:*:*"
}

Affected versions

xmlsec-2.*
xmlsec-2.1.6
xmlsec-2.2.0
xmlsec-2.2.1
xmlsec-2.2.2

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-40690.json"
github.com/apache/tomee

Affected ranges

Type
GIT
Repo
https://github.com/apache/tomee
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "8.0.8"
        }
    ],
    "cpe": "cpe:2.3:a:apache:tomee:*:*:*:*:*:*:*:*"
}

Affected versions

8.*
8.0.0-TT.1
tomee-8.*
tomee-8.0.1
tomee-8.0.2
tomee-8.0.5
tomee-8.0.6
tomee-project-8.*
tomee-project-8.0.3
tomee-project-8.0.4
tomee-project-8.0.7

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-40690.json"