GHSA-j8wc-gxx9-82hx

Source

https://github.com/advisories/GHSA-j8wc-gxx9-82hx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-j8wc-gxx9-82hx/GHSA-j8wc-gxx9-82hx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-j8wc-gxx9-82hx

Aliases

CVE-2021-40690

Related

CGA-3wqx-hg8p-7g74

Published

2021-09-20T23:18:41Z

Modified

2024-02-16T05:34:39.150688Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Exposure of Sensitive Information to an Unauthorized Actor in Apache Santuario

Details

All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

References

Affected packages

Maven / org.apache.santuario:xmlsec

Package

Name: org.apache.santuario:xmlsec; View open source insights on deps.dev
Purl: pkg:maven/org.apache.santuario/xmlsec

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2.0

Fixed

2.2.3

Affected versions

2.*

2.2.0

2.2.1

2.2.2

Maven / org.apache.santuario:xmlsec

Package

Name: org.apache.santuario:xmlsec; View open source insights on deps.dev
Purl: pkg:maven/org.apache.santuario/xmlsec

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.7

Affected versions

1.*

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.4.7

1.4.8

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.5.5

1.5.6

1.5.7

1.5.8

2.*

2.0.0-beta

2.0.0-rc1

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6