Bypass of the secureValidation property
Description
All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Santuario prior to 2.2.3 and 2.1.7 fails to enforce secureValidation on KeyInfoReference, enabling XPath-based local XML file disclosure.
Vulnerability
The vulnerability in Apache Santuario – XML Security for Java affects all versions prior to 2.2.3 and 2.1.7. The bug is that the secureValidation property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This oversight allows an attacker to embed a RetrievalMethod element that uses an XPath Transform, and due to the missing security validation, the XPath transform can be abused to extract arbitrary local .xml files [1].
Exploitation
The attacker requires the ability to supply a crafted XML signature or encryption document that includes a KeyInfoReference pointing to a malicious RetrievalMethod. The attacker does not need authentication or special privileges beyond being able to send the malformed input to an application using Apache Santuario. By using an XPath Transform in the RetrievalMethod, the attacker can read any .xml file on the local filesystem [1].
Impact
Successful exploitation leads to local file disclosure (information disclosure) of .xml files. The attacker can read sensitive XML configuration files, keystores, or other XML data that the application process has access to. The CIA impact is limited to confidentiality Loss; no direct code execution or privilege escalation is described in the available references [1].
Mitigation
Users should upgrade to Apache Santuario – XML Security for Java version 2.2.3 or 2.1.7, which contain the fix. The fix ensures that secureValidation is properly enforced when handling KeyInfoReference elements. No workaround is available in the references [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.santuario:xmlsecMaven | >= 2.2.0, < 2.2.3 | 2.2.3 |
org.apache.santuario:xmlsecMaven | < 2.1.7 | 2.1.7 |
Affected products
6- osv-coords5 versionspkg:apk/chainguard/elasticsearch-7pkg:apk/chainguard/elasticsearch-7-bitnamipkg:apk/chainguard/elasticsearch-7-iamguardedpkg:maven/org.apache.santuario/xmlsecpkg:rpm/opensuse/xml-security&distro=openSUSE%20Tumbleweed
< 7.17.14-r2+ 4 more
- (no CPE)range: < 7.17.14-r2
- (no CPE)range: < 7.17.14-r2
- (no CPE)range: < 7.17.14-r2
- (no CPE)range: >= 2.2.0, < 2.2.3
- (no CPE)range: < 2.1.7-1.1
- Apache Software Foundation/Apache Santuariov5Range: XML Security for Java
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
25- github.com/advisories/GHSA-j8wc-gxx9-82hxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-40690ghsaADVISORY
- www.debian.org/security/2021/dsa-5010ghsavendor-advisoryWEB
- lists.apache.org/thread.html/r3b3f5ba9b0de8c9c125077b71af06026d344a709a8ba67db81ee9faa%40%3Ccommits.tomee.apache.org%3Emitremailing-list
- lists.apache.org/thread.html/r3b3f5ba9b0de8c9c125077b71af06026d344a709a8ba67db81ee9faa@%3Ccommits.tomee.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r401ecb7274794f040cd757b259ebe3e8c463ae74f7961209ccad3c59%40%3Cissues.cxf.apache.org%3Emitremailing-list
- lists.apache.org/thread.html/r401ecb7274794f040cd757b259ebe3e8c463ae74f7961209ccad3c59@%3Cissues.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r8848751b6a5dd78cc9e99d627e74fecfaffdfa1bb615dce827aad633%40%3Cdev.santuario.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r8a5c0ce9014bd07303aec1e5eed55951704878016465d3dae00e0c28%40%3Ccommits.tomee.apache.org%3Emitremailing-list
- lists.apache.org/thread.html/r8a5c0ce9014bd07303aec1e5eed55951704878016465d3dae00e0c28@%3Ccommits.tomee.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r9c100d53c84d54cf71975e3f0cfcc2856a8846554a04c99390156ce4%40%3Ccommits.tomee.apache.org%3Emitremailing-list
- lists.apache.org/thread.html/r9c100d53c84d54cf71975e3f0cfcc2856a8846554a04c99390156ce4@%3Ccommits.tomee.apache.org%3EghsaWEB
- lists.apache.org/thread.html/raf352f95c19c0c4051af3180752cb69acbea88d0d066ab176c6170e8%40%3Cuser.poi.apache.org%3Emitremailing-list
- lists.apache.org/thread.html/raf352f95c19c0c4051af3180752cb69acbea88d0d066ab176c6170e8@%3Cuser.poi.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rbbbac0759b12472abd0c278d32b5e0867bb21934df8e14e5e641597c%40%3Ccommits.tomee.apache.org%3Emitremailing-list
- lists.apache.org/thread.html/rbbbac0759b12472abd0c278d32b5e0867bb21934df8e14e5e641597c@%3Ccommits.tomee.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rbdac116aef912b563da54f4c152222c0754e32fb2f785519ac5e059f%40%3Ccommits.tomee.apache.org%3Emitremailing-list
- lists.apache.org/thread.html/rbdac116aef912b563da54f4c152222c0754e32fb2f785519ac5e059f@%3Ccommits.tomee.apache.org%3EghsaWEB
- lists.apache.org/thread.html/re294cfc61f509512874ea514d8d64fd276253d54ac378ffa7a4880c8%40%3Ccommits.tomee.apache.org%3Emitremailing-list
- lists.apache.org/thread.html/re294cfc61f509512874ea514d8d64fd276253d54ac378ffa7a4880c8@%3Ccommits.tomee.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2021/09/msg00015.htmlghsamailing-listWEB
- security.netapp.com/advisory/ntap-20230818-0002ghsaWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlghsaWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsaWEB
- security.netapp.com/advisory/ntap-20230818-0002/mitre
News mentions
0No linked articles in our index yet.