VYPR
← All advisories
Moderate severityNVD Advisory· Published Aug 20, 2013· Updated Apr 29, 2026

CVE-2013-2172

CVE-2013-2172

Description

jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.santuario:xmlsecMaven
>= 1.4.0, < 1.4.81.4.8
org.apache.santuario:xmlsecMaven
>= 1.5.0, < 1.5.51.5.5

Affected products

7
  • Apache/Santuario XML Security For Java6 versions
    cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.7:*:*:*:*:*:*:*+ 5 more
    • cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.7:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.4:*:*:*:*:*:*:*
  • ghsa-coords
    pkg:maven/org.apache.santuario/xmlsec
    Range: >= 1.4.0, < 1.4.8

Patches

2
25e0e11493b0

Don't allow non-standard c14n method

https://github.com/apache/santuario-javaColm O hEigeartaighJun 17, 2013via ghsa
commit
1 file changed · +18 2
  • src/org/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java+18 2 modified
    @@ -45,8 +45,12 @@ public class DOMCanonicalizationMethod extends DOMTransform
      * @param spi TransformService
      */
     public DOMCanonicalizationMethod(TransformService spi)
-	throws InvalidAlgorithmParameterException {
-	super(spi);
+        throws InvalidAlgorithmParameterException
+    {
+        super(spi);
+        if (!(spi instanceof ApacheCanonicalizer) && !isC14Nalg(spi.getAlgorithm())) {
+            throw new InvalidAlgorithmParameterException("Illegal CanonicalizationMethod");
+        } 
     }
 
     /**
@@ -59,6 +63,9 @@ public DOMCanonicalizationMethod(TransformService spi)
     public DOMCanonicalizationMethod(Element cmElem, XMLCryptoContext context,
 	Provider provider) throws MarshalException {
 	super(cmElem, context, provider);
+        if (!(spi instanceof ApacheCanonicalizer) && !isC14Nalg(spi.getAlgorithm())) {
+            throw new MarshalException("Illegal CanonicalizationMethod");
+        } 
     }
 
     /**
@@ -102,4 +109,13 @@ public int hashCode() {
 	assert false : "hashCode not designed";
 	return 42;
     }
+    
+    private static boolean isC14Nalg(String alg) {
+        return alg.equals(CanonicalizationMethod.INCLUSIVE) 
+            || alg.equals(CanonicalizationMethod.INCLUSIVE_WITH_COMMENTS) 
+            || alg.equals(CanonicalizationMethod.EXCLUSIVE) 
+            || alg.equals(CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS) 
+            || alg.equals(DOMCanonicalXMLC14N11Method.C14N_11) 
+            || alg.equals(DOMCanonicalXMLC14N11Method.C14N_11_WITH_COMMENTS);
+    } 
 }
8e8f8bf92a43

Don't allow non-standard c14n method

https://github.com/apache/santuario-javaColm O HeigeartaighJun 17, 2013via ghsa
commit
1 file changed · +15 0
  • src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java+15 0 modified
    @@ -50,6 +50,9 @@ public DOMCanonicalizationMethod(TransformService spi)
         throws InvalidAlgorithmParameterException
     {
         super(spi);
+        if (!(spi instanceof ApacheCanonicalizer) && !isC14Nalg(spi.getAlgorithm())) {
+            throw new InvalidAlgorithmParameterException("Illegal CanonicalizationMethod");
+        } 
     }
 
     /**
@@ -64,6 +67,9 @@ public DOMCanonicalizationMethod(Element cmElem, XMLCryptoContext context,
         throws MarshalException
     {
         super(cmElem, context, provider);
+        if (!(spi instanceof ApacheCanonicalizer) && !isC14Nalg(spi.getAlgorithm())) {
+            throw new MarshalException("Illegal CanonicalizationMethod");
+        } 
     }
 
     /**
@@ -111,4 +117,13 @@ public int hashCode() {
         assert false : "hashCode not designed";
         return 42; // any arbitrary constant will do 
     }
+    
+    private static boolean isC14Nalg(String alg) {
+        return alg.equals(CanonicalizationMethod.INCLUSIVE) 
+            || alg.equals(CanonicalizationMethod.INCLUSIVE_WITH_COMMENTS) 
+            || alg.equals(CanonicalizationMethod.EXCLUSIVE) 
+            || alg.equals(CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS) 
+            || alg.equals(DOMCanonicalXMLC14N11Method.C14N_11) 
+            || alg.equals(DOMCanonicalXMLC14N11Method.C14N_11_WITH_COMMENTS);
+    } 
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

32

News mentions

0

No linked articles in our index yet.