Apache Santuario Xml Security For Java vulnerabilities
6 known vulnerabilities affecting apache/santuario_xml_security_for_java.
Total CVEs
6
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH1MEDIUM5
Vulnerabilities
Page 1 of 1
CVE-2023-44483MEDIUMCVSS 6.5fixed in 2.2.6≥ 2.3.0, < 2.3.4+1 more2023-10-20
CVE-2023-44483 [MEDIUM] CWE-532 CVE-2023-44483: All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when usin
All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes t
nvd
CVE-2021-40690HIGHCVSS 7.5fixed in 2.1.7≥ 2.2.0, < 2.2.32021-09-19
CVE-2021-40690 [HIGH] CWE-200 CVE-2021-40690: All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to
All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.
nvd
CVE-2019-12400MEDIUMCVSS 5.5≥ 2.0.3, ≤ 2.0.10≥ 2.1.0, < 2.1.42019-08-23
CVE-2019-12400 [MEDIUM] CWE-20 CVE-2019-12400: In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache S
nvd
CVE-2014-8152MEDIUMCVSS 5.0v2.0.0v2.0.1+1 more2015-01-21
CVE-2014-8152 [MEDIUM] CWE-254 CVE-2014-8152: Apache Santuario XML Security for Java 2.0.x before 2.0.3 allows remote attackers to bypass the stre
Apache Santuario XML Security for Java 2.0.x before 2.0.3 allows remote attackers to bypass the streaming XML signature protection mechanism via a crafted XML document.
nvd
CVE-2013-4517MEDIUMCVSS 4.3≤ 1.5.5v1.2.0+16 more2014-01-11
CVE-2013-4517 [MEDIUM] CWE-399 CVE-2013-4517: Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attacke
Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures.
nvd
CVE-2013-2172MEDIUMCVSS 4.3v1.4.7v1.5.0+4 more2013-08-20
CVE-2013-2172 [MEDIUM] CWE-310 CVE-2013-2172: jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1
jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature
nvd