Maven package
org.apache.santuario/xmlsec
pkg:maven/org.apache.santuario/xmlsec
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-44483 | — | >= 2.3.0, < 2.3.4 | 2.3.4 | Oct 20, 2023 | All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are | ||
| CVE-2021-40690 | — | >= 2.2.0, < 2.2.3 | 2.2.3 | Sep 19, 2021 | All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform | ||
| CVE-2019-12400 | — | >= 2.0.3, < 2.1.4 | 2.1.4 | Aug 23, 2019 | In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader | ||
| CVE-2014-8152 | — | >= 2.0.0, < 2.0.3 | 2.0.3 | Jan 21, 2015 | Apache Santuario XML Security for Java 2.0.x before 2.0.3 allows remote attackers to bypass the streaming XML signature protection mechanism via a crafted XML document. | ||
| CVE-2013-4517 | — | < 1.5.6 | 1.5.6 | Jan 11, 2014 | Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures. | ||
| CVE-2013-5823 | — | >= 1.4.0, < 1.4.8 | 1.4.8 | Oct 16, 2013 | Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect availability via unknown vectors related to Security. | ||
| CVE-2013-2172 | — | >= 1.4.0, < 1.4.8 | 1.4.8 | Aug 20, 2013 | jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "ca | ||
| CVE-2009-0217 | — | >= 1.4.0, < 1.4.3 | 1.4.3 | Jul 14, 2009 | The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Pro |
- CVE-2023-44483Oct 20, 2023affected >= 2.3.0, < 2.3.4fixed 2.3.4
All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are
- CVE-2021-40690Sep 19, 2021affected >= 2.2.0, < 2.2.3fixed 2.2.3
All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform
- CVE-2019-12400Aug 23, 2019affected >= 2.0.3, < 2.1.4fixed 2.1.4
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader
- CVE-2014-8152Jan 21, 2015affected >= 2.0.0, < 2.0.3fixed 2.0.3
Apache Santuario XML Security for Java 2.0.x before 2.0.3 allows remote attackers to bypass the streaming XML signature protection mechanism via a crafted XML document.
- CVE-2013-4517Jan 11, 2014affected < 1.5.6fixed 1.5.6
Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures.
- CVE-2013-5823Oct 16, 2013affected >= 1.4.0, < 1.4.8fixed 1.4.8
Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect availability via unknown vectors related to Security.
- CVE-2013-2172Aug 20, 2013affected >= 1.4.0, < 1.4.8fixed 1.4.8
jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "ca
- CVE-2009-0217Jul 14, 2009affected >= 1.4.0, < 1.4.3fixed 1.4.3
The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Pro