GHSA-r237-w2w6-jq3p

Suggest an improvement
Source
https://github.com/advisories/GHSA-r237-w2w6-jq3p
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-r237-w2w6-jq3p/GHSA-r237-w2w6-jq3p.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-r237-w2w6-jq3p
Aliases
Published
2022-05-13T01:05:56Z
Modified
2024-03-05T18:32:11.352657Z
Summary
Inefficient Algorithmic Complexity in Apache Santuario XML Security
Details

jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."

References

Affected packages

Maven / org.apache.santuario:xmlsec

Package

Name
org.apache.santuario:xmlsec
View open source insights on deps.dev
Purl
pkg:maven/org.apache.santuario/xmlsec

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.4.0
Fixed
1.4.8

Affected versions

1.*

1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7

Maven / org.apache.santuario:xmlsec

Package

Name
org.apache.santuario:xmlsec
View open source insights on deps.dev
Purl
pkg:maven/org.apache.santuario/xmlsec

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.5.0
Fixed
1.5.5

Affected versions

1.*

1.5.0
1.5.1
1.5.2
1.5.3
1.5.4