CVE-2013-2172

Severity

43%

Complexity

86%

Confidentiality

48%

jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."

jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."

CVSS 2.0 Base Score 4.3. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N).

Overview

Type

Apache Software Foundation Apache Santuario XML Security for Java

First reported 11 years ago

2013-08-20 22:55:00

Last updated 6 years ago

2018-10-09 19:34:00

Affected Software

Apache Software Foundation Apache Santuario XML Security for Java 1.4.7

1.4.7

Apache Software Foundation Apache Santuario XML Security for Java 1.5.0

1.5.0

Apache Software Foundation Apache Santuario XML Security for Java 1.5.1

1.5.1

Apache Software Foundation Apache Santuario XML Security for Java 1.5.2

1.5.2

Apache Software Foundation Apache Santuario XML Security for Java 1.5.3

1.5.3

Apache Software Foundation Apache Santuario XML Security for Java 1.5.4

1.5.4

References

RHSA-2013:1207

RHSA-2013:1208

RHSA-2013:1209

RHSA-2013:1217

RHSA-2013:1218

RHSA-2013:1219

RHSA-2013:1220

RHSA-2013:1375

RHSA-2013:1437

RHSA-2013:1853

RHSA-2014:0212

http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc

Vendor Advisory

20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities

54019

Vendor Advisory

http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876&r2=1493772&pathrev=1493772&diff_format=h

Patch

DSA-3065

http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

94651

20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities

60846

USN-2028-1

http://www.vmware.com/security/advisories/VMSA-2014-0012.html

[santuario-commits] 20190823 svn commit: r1049214 - in /websites/production/santuario/content: cache/main.pageCache download.html index.html javaindex.html javareleasenotes.html secadv.data/CVE-2019-12400.asc secadv.html

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.