Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-8613

High Security issues reported with Apache Santuario library bundled in CXF 3.4.4

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 3.4.4
    • 3.4.5
    • None
    • None
    • Unknown

    Description

      High Security Vulnerability CVE-2021-40690 has been reported with the Apache Santuario 2.2.2 library being bundled within CXF 3.4.4.

      https://nvd.nist.gov/vuln/detail/CVE-2021-40690 

      CVE-2021-40690

      Affected Component(s): Apache Santuario (Java), OpenEJB
      Vulnerability Published: 2021-09-19 14:15 EDT
      Vulnerability Updated: 2021-10-01 12:08 EDT
      CVSS Score: 7.5 (overall), 7.5 (base)

      Summary: All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

       

      Fixed in Apache Santuario version 2.2.3.

       

      Attachments

        Activity

          People

            Unassigned Unassigned
            wcmrnd WCM RnD
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: