GHSA-4q98-wr72-h35w

Suggest an improvement
Source
https://github.com/advisories/GHSA-4q98-wr72-h35w
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-4q98-wr72-h35w/GHSA-4q98-wr72-h35w.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4q98-wr72-h35w
Aliases
Published
2019-08-27T17:41:33Z
Modified
2024-02-16T05:21:14.493217Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Improper input validation in Apache Santuario XML Security for Java
Details

In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x releases before 2.1.4.

References

Affected packages

Maven / org.apache.santuario:xmlsec

Package

Name
org.apache.santuario:xmlsec
View open source insights on deps.dev
Purl
pkg:maven/org.apache.santuario/xmlsec

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.3
Fixed
2.1.4

Affected versions

2.*

2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.1.0
2.1.1
2.1.2
2.1.3