CVE-2013-2172

CWE-310 CWE-407 CWE-2909 documents8 sources

Severity

4.3MEDIUM

EPSS

5.4%

top 9.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Santuario XML Security FOR Java

Timeline

PublishedAug 20

Latest updateMay 13

Description

jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶Debianlibxml-security-java< 1.5.5-2+3

▶NVDapache/santuario_xml_security6 versions+5

▶Mavenorg.apache.santuario:xmlsec1.4.0 — 1.4.8+1

Patches

Patch: svn.apache.org ↗Patch: svn.apache.org ↗

🔴Vulnerability Details

GHSA

Inefficient Algorithmic Complexity in Apache Santuario XML Security↗2022-05-13

▶

OSV

Inefficient Algorithmic Complexity in Apache Santuario XML Security↗2022-05-13

▶

OSV

CVE-2013-2172: jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod↗2013-08-20

▶

CVEList

CVE-2013-2172: jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod↗2013-08-20

▶

📋Vendor Advisories

Ubuntu

Apache XML Security for Java vulnerability↗2013-11-12

▶

Red Hat

Java: XML signature spoofing↗2013-06-25

▶

Debian

CVE-2013-2172: libxml-security-java - jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML...↗2013

▶

💬Community

Bugzilla

CVE-2013-2172 Apache Santuario XML Security for Java: XML signature spoofing↗2013-08-21

▶