Medium severity5.3NVD Advisory· Published Jun 26, 2024· Updated Apr 15, 2026

CVE-2024-34580

Description

Apache XML Security for C++ through 2.0.4 implements the XML Signature Syntax and Processing (XMLDsig) specification without protection against an SSRF payload in a KeyInfo element. NOTE: the project disputes this CVE Record on the grounds that any vulnerabilities are the result of a failure to configure XML Security for C++ securely. Even when avoiding this particular issue, any use of this library would need considerable additional code and a deep understanding of the standards and protocols involved to arrive at a secure implementation for any particular use case. We recommend against continued direct use of this library.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

cloud.google.com/blog/topics/threat-intelligence/apache-library-allows-server-side-request-forgerynvd
github.com/zmanion/Vulnerabilities/blob/main/CVE-2024-21893.mdnvd
lists.apache.org/thread/po2gocnw4gtf4boy5mmjb54g62qhbrl9nvd
santuario.apache.org/download.htmlnvd
shibboleth.atlassian.net/wiki/spaces/DEV/pages/3726671873/Santuarionvd
www.sonatype.com/blog/the-exploited-ivanti-connect-ssrf-vulnerability-stems-from-xmltooling-oss-librarynvd

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000