You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "WCM RnD (Jira)" <ji...@apache.org> on 2021/10/27 12:48:00 UTC
[jira] [Created] (CXF-8613) High Security issues reported with
Apache Santuario library bundled in CXF 3.4.4
WCM RnD created CXF-8613:
----------------------------
Summary: High Security issues reported with Apache Santuario library bundled in CXF 3.4.4
Key: CXF-8613
URL: https://issues.apache.org/jira/browse/CXF-8613
Project: CXF
Issue Type: Bug
Affects Versions: 3.4.4
Reporter: WCM RnD
High Security Vulnerability CVE-2021-40690 has been reported with the Apache Santuario 2.2.2 library being bundled within CXF 3.4.4.
[https://nvd.nist.gov/vuln/detail/CVE-2021-40690]
h2. CVE-2021-40690
*Affected Component(s):* Apache Santuario (Java), OpenEJB
*Vulnerability Published:* 2021-09-19 14:15 EDT
*Vulnerability Updated:* 2021-10-01 12:08 EDT
*CVSS Score:* {color:#FF0000}7.5{color} (overall), {color:#FF0000}7.5{color} (base)
*Summary*: All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.
*Fixed in Apache Santuario version 2.2.3.*
--
This message was sent by Atlassian Jira
(v8.3.4#803005)