Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
3.4.4
-
None
-
None
-
Unknown
Description
High Security Vulnerability CVE-2021-40690 has been reported with the Apache Santuario 2.2.2 library being bundled within CXF 3.4.4.
https://nvd.nist.gov/vuln/detail/CVE-2021-40690
CVE-2021-40690
Affected Component(s): Apache Santuario (Java), OpenEJB
Vulnerability Published: 2021-09-19 14:15 EDT
Vulnerability Updated: 2021-10-01 12:08 EDT
CVSS Score: 7.5 (overall), 7.5 (base)
Summary: All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.
Fixed in Apache Santuario version 2.2.3.