All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.
{
"unresolved_ranges": [
{
"vendor_product": "oracle:communications_diameter_intelligence_hub",
"cpes": [
"cpe:2.3:a:oracle:communications_diameter_intelligence_hub:*:*:*:*:*:*:*:*"
],
"source": "CPE_RANGE",
"extracted_events": [
{
"introduced": "8.0.0"
},
{
"last_affected": "8.1.0"
},
{
"introduced": "8.2.0"
},
{
"last_affected": "8.2.3"
}
]
},
{
"vendor_product": "debian:debian_linux",
"cpes": [
"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"extracted_events": [
{
"introduced": "9.0"
},
{
"last_affected": "9.0"
},
{
"introduced": "10.0"
},
{
"last_affected": "10.0"
},
{
"introduced": "11.0"
},
{
"last_affected": "11.0"
}
]
},
{
"vendor_product": "oracle:agile_plm",
"cpes": [
"cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"extracted_events": [
{
"introduced": "9.3.6"
},
{
"last_affected": "9.3.6"
}
]
},
{
"vendor_product": "oracle:commerce_guided_search",
"cpes": [
"cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"extracted_events": [
{
"introduced": "11.3.2"
},
{
"last_affected": "11.3.2"
}
]
},
{
"vendor_product": "oracle:commerce_platform",
"cpes": [
"cpe:2.3:a:oracle:commerce_platform:11.3.2:*:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"extracted_events": [
{
"introduced": "11.3.2"
},
{
"last_affected": "11.3.2"
}
]
},
{
"vendor_product": "oracle:communications_messaging_server",
"cpes": [
"cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"extracted_events": [
{
"introduced": "8.1"
},
{
"last_affected": "8.1"
}
]
},
{
"vendor_product": "oracle:flexcube_private_banking",
"cpes": [
"cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"extracted_events": [
{
"introduced": "12.1.0"
},
{
"last_affected": "12.1.0"
}
]
},
{
"vendor_product": "oracle:outside_in_technology",
"cpes": [
"cpe:2.3:a:oracle:outside_in_technology:8.5.5:*:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"extracted_events": [
{
"introduced": "8.5.5"
},
{
"last_affected": "8.5.5"
}
]
},
{
"vendor_product": "oracle:peoplesoft_enterprise_peopletools",
"cpes": [
"cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"extracted_events": [
{
"introduced": "8.58"
},
{
"last_affected": "8.58"
},
{
"introduced": "8.59"
},
{
"last_affected": "8.59"
}
]
},
{
"vendor_product": "oracle:retail_bulk_data_integration",
"cpes": [
"cpe:2.3:a:oracle:retail_bulk_data_integration:16.0.3:*:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"extracted_events": [
{
"introduced": "16.0.3"
},
{
"last_affected": "16.0.3"
}
]
},
{
"vendor_product": "oracle:retail_financial_integration",
"cpes": [
"cpe:2.3:a:oracle:retail_financial_integration:14.1.3.2:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:retail_financial_integration:15.0.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:retail_financial_integration:16.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:retail_financial_integration:19.0.1:*:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"extracted_events": [
{
"introduced": "14.1.3.2"
},
{
"last_affected": "14.1.3.2"
},
{
"introduced": "15.0.3.1"
},
{
"last_affected": "15.0.3.1"
},
{
"introduced": "16.0.3"
},
{
"last_affected": "16.0.3"
},
{
"introduced": "19.0.1"
},
{
"last_affected": "19.0.1"
}
]
},
{
"vendor_product": "oracle:retail_integration_bus",
"cpes": [
"cpe:2.3:a:oracle:retail_integration_bus:14.1.3.2:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:retail_integration_bus:15.0.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:retail_integration_bus:16.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:retail_integration_bus:19.0.1:*:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"extracted_events": [
{
"introduced": "14.1.3.2"
},
{
"last_affected": "14.1.3.2"
},
{
"introduced": "15.0.3.1"
},
{
"last_affected": "15.0.3.1"
},
{
"introduced": "16.0.3"
},
{
"last_affected": "16.0.3"
},
{
"introduced": "19.0.1"
},
{
"last_affected": "19.0.1"
}
]
},
{
"vendor_product": "oracle:retail_merchandising_system",
"cpes": [
"cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:retail_merchandising_system:19.0.1:*:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"extracted_events": [
{
"introduced": "16.0.3"
},
{
"last_affected": "16.0.3"
},
{
"introduced": "19.0.1"
},
{
"last_affected": "19.0.1"
}
]
},
{
"vendor_product": "oracle:retail_service_backbone",
"cpes": [
"cpe:2.3:a:oracle:retail_service_backbone:14.1.3.2:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:retail_service_backbone:15.0.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:retail_service_backbone:16.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:retail_service_backbone:19.0.1:*:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"extracted_events": [
{
"introduced": "14.1.3.2"
},
{
"last_affected": "14.1.3.2"
},
{
"introduced": "15.0.3.1"
},
{
"last_affected": "15.0.3.1"
},
{
"introduced": "16.0.3"
},
{
"last_affected": "16.0.3"
},
{
"introduced": "19.0.1"
},
{
"last_affected": "19.0.1"
}
]
},
{
"vendor_product": "oracle:weblogic_server",
"cpes": [
"cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"extracted_events": [
{
"introduced": "12.2.1.4.0"
},
{
"last_affected": "12.2.1.4.0"
},
{
"introduced": "14.1.1.0.0"
},
{
"last_affected": "14.1.1.0.0"
}
]
}
]
}{
"cpe": "cpe:2.3:a:apache:santuario_xml_security_for_java:*:*:*:*:*:*:*:*",
"source": "CPE_RANGE",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "2.1.7"
},
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
]
}