Vulnerability-Lookup

CVE-2013-2172 (GCVE-0-2013-2172)

Vulnerability from cvelistv5 – Published: 2013-08-20 22:00 – Updated: 2024-08-06 15:27

Summary

jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

URL

CVE-2013-2172

Vulnerability from fstec - Published: 20.08.2013

Title

Уязвимость компонента jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java платформы для обеспечения стандартов безопасности для XML Apache Santuario XML Security for Java, позволяющая нарушителю подменить XML-подпись

Description

Уязвимость компонента jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java платформы для обеспечения стандартов безопасности для Apache Santuario XML Security for Java связана с ошибками шифрования данных. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, подменить XML-подпись с помощью параметра CanonicalizationMethod

Severity ?


                    
                      AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Vendor

IBM Corp., Apache Software Foundation

Software Name

Tivoli Business Service Manager, Santuario XML Security

Software Version

6.2.0 (Tivoli Business Service Manager), от 1.4.0 до 1.4.8 (Santuario XML Security), от 1.5.0 до 1.5.5 (Santuario XML Security)

Possible Mitigations

Использование рекомендаций: Для Apache Santuario XML Security для Java: http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876&r2=1493772&pathrev=1493772&diff_format=h Для программных продуктов IBM Corp.: https://www.ibm.com/support/pages/node/6826621

Reference

http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876&r2=1493772&pathrev=1493772&diff_format=h https://www.ibm.com/support/pages/node/6826621

CWE

CWE-310

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "IBM Corp., Apache Software Foundation",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "6.2.0 (Tivoli Business Service Manager), \u043e\u0442 1.4.0 \u0434\u043e 1.4.8 (Santuario XML Security), \u043e\u0442 1.5.0 \u0434\u043e 1.5.5 (Santuario XML Security)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f Apache Santuario XML Security \u0434\u043b\u044f Java:\nhttp://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876\u0026r2=1493772\u0026pathrev=1493772\u0026diff_format=h\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 IBM Corp.:\nhttps://www.ibm.com/support/pages/node/6826621",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "20.08.2013",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "07.11.2022",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "07.11.2022",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2022-06636",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2013-2172",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Tivoli Business Service Manager, Santuario XML Security",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0430 jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b \u0434\u043b\u044f \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043e\u0432 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0434\u043b\u044f XML Apache Santuario XML Security for Java, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u0434\u043c\u0435\u043d\u0438\u0442\u044c XML-\u043f\u043e\u0434\u043f\u0438\u0441\u044c",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041f\u0440\u043e\u0431\u043b\u0435\u043c\u044b \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044f \u043a\u0440\u0438\u043f\u0442\u043e\u0433\u0440\u0430\u0444\u0438\u0438 (CWE-310)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0430 jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b \u0434\u043b\u044f \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043e\u0432 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0434\u043b\u044f Apache Santuario XML Security for Java \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043e\u0448\u0438\u0431\u043a\u0430\u043c\u0438 \u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u0434\u0430\u043d\u043d\u044b\u0445. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043f\u043e\u0434\u043c\u0435\u043d\u0438\u0442\u044c XML-\u043f\u043e\u0434\u043f\u0438\u0441\u044c \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430 CanonicalizationMethod",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0412\u0435\u0440\u043e\u044f\u0442\u043d\u043e\u0441\u0442\u043d\u044b\u0435 \u043c\u0435\u0442\u043e\u0434\u044b",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876\u0026r2=1493772\u0026pathrev=1493772\u0026diff_format=h\nhttps://www.ibm.com/support/pages/node/6826621",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-310",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 4,3)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 5,3)"
}

CERTA-2013-AVI-575

Vulnerability from certfr_avis - Published: 2013-10-16 - Updated: 2013-10-16

De multiples vulnérabilités ont été corrigées dans Oracle Fusion Middleware. Certaines d'entre elles permettent à un attaquant de provoquer un déni de service, une atteinte à l'intégrité des données et une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Oracle	N/A	Oracle WebLogic Server versions 12.1.1.0 et antérieures
Oracle	N/A	Oracle Security Service versions 11.1.1.6 et antérieures
Oracle	N/A	Oracle Security Service versions 11.1.2.1 et antérieures
Oracle	N/A	Oracle Outside In Technology versions 8.4.0 et antérieures
Oracle	N/A	Oracle Outside In Technology versions 8.4.1 et antérieures
Oracle	N/A	Oracle Identity Analytics versions 11.1.1.5 et antérieures
Oracle	N/A	Oracle Identity Manager versions 11.1.2.0.0 et antérieures
Oracle	N/A	Oracle JDeveloper versions 12.1.2.0.0 et antérieures
Oracle	N/A	Oracle WebCenter Content versions 10.1.1.7.0 et antérieures
Oracle	N/A	Oracle Security Service versions 11.1.1.7 et antérieures
Oracle	N/A	Oracle GlassFish Server versions 3.0.1 et antérieures
Oracle	N/A	Oracle GlassFish Server versions 3.1.2 et antérieures
Oracle	N/A	Oracle Identity Manager versions 11.1.2.1.0 et antérieures
Oracle	N/A	Oracle Web Cache versions 11.1.1.6 et antérieures
Oracle	N/A	Oracle Web Services versions 10.1.3.5.0 et antérieures
Oracle	N/A	Oracle Access Manager versions 11.1.2.0.0 et antérieures
Oracle	N/A	Oracle WebCenter Content versions 10.1.1.8.0 et antérieures
Oracle	N/A	Oracle Web Cache versions 11.1.1.7 et antérieures
Oracle	N/A	Oracle WebLogic Server versions 10.3.6.0 et antérieures
Oracle	N/A	Oracle Portal versions 11.1.1.6.0 et antérieures
Oracle	N/A	Oracle Access Manager versions 11.1.1.5.0 et antérieures
Oracle	N/A	Oracle JDeveloper versions 11.1.2.4.0 et antérieures
Oracle	N/A	Oracle Containers for J2EE versions 10.1.3.5.0 et antérieures
Oracle	N/A	Oracle Security Service versions 12.2.1 et antérieures
Oracle	N/A	Oracle GlassFish Server versions 2.1.1 et antérieures
Oracle	N/A	Oracle JDeveloper versions 11.1.2.3.0 et antérieures
Oracle	N/A	Oracle Web Services versions 11.1.1.6.0 et antérieures
Oracle	N/A	Oracle WebCenter Content versions 10.1.1.6.0 et antérieures

References

Title

Publication Time

FKIE_CVE-2013-2172

Vulnerability from fkie_nvd - Published: 2013-08-20 22:55 - Updated: 2025-04-11 00:51

Severity ?

Summary

References

URL	Tags
secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2013-1207.html
secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2013-1208.html
secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2013-1209.html
secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2013-1217.html
secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2013-1218.html
secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2013-1219.html
secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2013-1220.html
secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2013-1375.html
secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2013-1437.html
secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2013-1853.html
secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2014-0212.html
secalert@redhat.com	http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc	Vendor Advisory
secalert@redhat.com	http://seclists.org/fulldisclosure/2014/Dec/23
secalert@redhat.com	http://secunia.com/advisories/54019	Vendor Advisory
secalert@redhat.com	http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876&r2=1493772&pathrev=1493772&diff_format=h	Patch
secalert@redhat.com	http://www.debian.org/security/2014/dsa-3065
secalert@redhat.com	http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
secalert@redhat.com	http://www.osvdb.org/94651
secalert@redhat.com	http://www.securityfocus.com/archive/1/534161/100/0/threaded
secalert@redhat.com	http://www.securityfocus.com/bid/60846
secalert@redhat.com	http://www.ubuntu.com/usn/USN-2028-1
secalert@redhat.com	http://www.vmware.com/security/advisories/VMSA-2014-0012.html
secalert@redhat.com	https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E
secalert@redhat.com	https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2013-1207.html
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2013-1208.html
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2013-1209.html
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2013-1217.html
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2013-1218.html
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2013-1219.html
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2013-1220.html
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2013-1375.html
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2013-1437.html
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2013-1853.html
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2014-0212.html
af854a3a-2127-422b-91ae-364da2661108	http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2014/Dec/23
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/54019	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876&r2=1493772&pathrev=1493772&diff_format=h	Patch
af854a3a-2127-422b-91ae-364da2661108	http://www.debian.org/security/2014/dsa-3065
af854a3a-2127-422b-91ae-364da2661108	http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
af854a3a-2127-422b-91ae-364da2661108	http://www.osvdb.org/94651
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/archive/1/534161/100/0/threaded
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/60846
af854a3a-2127-422b-91ae-364da2661108	http://www.ubuntu.com/usn/USN-2028-1
af854a3a-2127-422b-91ae-364da2661108	http://www.vmware.com/security/advisories/VMSA-2014-0012.html
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E

Impacted products

Vendor	Product	Version
apache	santuario_xml_security_for_java	1.4.7
apache	santuario_xml_security_for_java	1.5.0
apache	santuario_xml_security_for_java	1.5.1
apache	santuario_xml_security_for_java	1.5.2
apache	santuario_xml_security_for_java	1.5.3
apache	santuario_xml_security_for_java	1.5.4

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "3DB7492B-1D95-48D0-9892-C8A47FD15414",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7D8837A5-0840-44D3-BD7D-335611BDF64D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "FD0057FF-4F75-4F35-BD15-1093D22AFE04",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "C65E4B50-5F5C-4F04-8CF8-4D1CCA2BF427",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "5889CDAF-4F5A-42D9-A6CE-7F7A4222ECB4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "EDD00EBA-1B65-4245-9A3D-D389830450BB",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak \"canonicalization algorithm to apply to the SignedInfo part of the Signature.\""
    },
    {
      "lang": "es",
      "value": "jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java en Apache Santuario XML Security para Java 1.4.x anterior a  1.4.8 y  1.5.x anterior a  1.5.5 , permite a atacantes dependientes del contexto suplantar una firma XML utilizando el par\u00e1metro \"CanonicalizationMethod\" para especificar la debilidad arbitraria: \"canonizaci\u00f3n del algoritmo a aplicar para la parte SignedInfo de la firma\"."
    }
  ],
  "id": "CVE-2013-2172",
  "lastModified": "2025-04-11T00:51:21.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2013-08-20T22:55:04.093",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1207.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1208.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1209.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1217.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1218.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1219.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1220.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1375.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1437.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1853.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0212.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://seclists.org/fulldisclosure/2014/Dec/23"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/54019"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch"
      ],
      "url": "http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876\u0026r2=1493772\u0026pathrev=1493772\u0026diff_format=h"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.debian.org/security/2014/dsa-3065"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.osvdb.org/94651"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securityfocus.com/archive/1/534161/100/0/threaded"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securityfocus.com/bid/60846"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.ubuntu.com/usn/USN-2028-1"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1207.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1208.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1209.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1217.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1218.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1219.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1220.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1375.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1437.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1853.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0212.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://seclists.org/fulldisclosure/2014/Dec/23"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/54019"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876\u0026r2=1493772\u0026pathrev=1493772\u0026diff_format=h"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2014/dsa-3065"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.osvdb.org/94651"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/archive/1/534161/100/0/threaded"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/60846"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.ubuntu.com/usn/USN-2028-1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-310"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-R237-W2W6-JQ3P

Vulnerability from github – Published: 2022-05-13 01:05 – Updated: 2024-03-05 18:21

Summary

Inefficient Algorithmic Complexity in Apache Santuario XML Security

Details

jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.santuario:xmlsec"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "1.4.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.santuario:xmlsec"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.5.0"
            },
            {
              "fixed": "1.5.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2013-2172"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-407"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-08T19:08:41Z",
    "nvd_published_at": "2013-08-20T22:55:00Z",
    "severity": "MODERATE"
  },
  "details": "`jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java` in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak \"canonicalization algorithm to apply to the SignedInfo part of the Signature.\"",
  "id": "GHSA-r237-w2w6-jq3p",
  "modified": "2024-03-05T18:21:58Z",
  "published": "2022-05-13T01:05:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2172"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/santuario-java/commit/25e0e11493b061749f778030036cb5c406b34590"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/santuario-java/commit/8e8f8bf92a43608d7d5f9e357fae19244454a61f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/santuario-java"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3@%3Ccommits.santuario.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd@%3Ccommits.santuario.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20160317145515/http://www.securityfocus.com/archive/1/534161/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20200228060314/http://www.securityfocus.com/bid/60846"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1207.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1208.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1209.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1217.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1218.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1219.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1220.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1375.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1437.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1853.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0212.html"
    },
    {
      "type": "WEB",
      "url": "http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2014/Dec/23"
    },
    {
      "type": "WEB",
      "url": "http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876\u0026r2=1493772\u0026pathrev=1493772\u0026diff_format=h"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2014/dsa-3065"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2028-1"
    },
    {
      "type": "WEB",
      "url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Inefficient Algorithmic Complexity in Apache Santuario XML Security"
}

GSD-2013-2172

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2013-2172

Aliases

CVE-2013-2172

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2013-2172",
    "description": "jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak \"canonicalization algorithm to apply to the SignedInfo part of the Signature.\"",
    "id": "GSD-2013-2172",
    "references": [
      "https://www.debian.org/security/2014/dsa-3065",
      "https://access.redhat.com/errata/RHSA-2014:1369",
      "https://access.redhat.com/errata/RHSA-2014:0400",
      "https://access.redhat.com/errata/RHSA-2014:0212",
      "https://access.redhat.com/errata/RHSA-2013:1853",
      "https://access.redhat.com/errata/RHSA-2013:1437",
      "https://access.redhat.com/errata/RHSA-2013:1375",
      "https://access.redhat.com/errata/RHSA-2013:1220",
      "https://access.redhat.com/errata/RHSA-2013:1219",
      "https://access.redhat.com/errata/RHSA-2013:1218",
      "https://access.redhat.com/errata/RHSA-2013:1217",
      "https://access.redhat.com/errata/RHSA-2013:1209",
      "https://access.redhat.com/errata/RHSA-2013:1208",
      "https://access.redhat.com/errata/RHSA-2013:1207",
      "https://advisories.mageia.org/CVE-2013-2172.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2013-2172"
      ],
      "details": "jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak \"canonicalization algorithm to apply to the SignedInfo part of the Signature.\"",
      "id": "GSD-2013-2172",
      "modified": "2023-12-13T01:22:17.559538Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2013-2172",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak \"canonicalization algorithm to apply to the SignedInfo part of the Signature.\""
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://rhn.redhat.com/errata/RHSA-2013-1437.html",
            "refsource": "MISC",
            "url": "http://rhn.redhat.com/errata/RHSA-2013-1437.html"
          },
          {
            "name": "https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E"
          },
          {
            "name": "https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E"
          },
          {
            "name": "http://rhn.redhat.com/errata/RHSA-2013-1207.html",
            "refsource": "MISC",
            "url": "http://rhn.redhat.com/errata/RHSA-2013-1207.html"
          },
          {
            "name": "http://rhn.redhat.com/errata/RHSA-2013-1208.html",
            "refsource": "MISC",
            "url": "http://rhn.redhat.com/errata/RHSA-2013-1208.html"
          },
          {
            "name": "http://rhn.redhat.com/errata/RHSA-2013-1209.html",
            "refsource": "MISC",
            "url": "http://rhn.redhat.com/errata/RHSA-2013-1209.html"
          },
          {
            "name": "http://rhn.redhat.com/errata/RHSA-2013-1217.html",
            "refsource": "MISC",
            "url": "http://rhn.redhat.com/errata/RHSA-2013-1217.html"
          },
          {
            "name": "http://rhn.redhat.com/errata/RHSA-2013-1218.html",
            "refsource": "MISC",
            "url": "http://rhn.redhat.com/errata/RHSA-2013-1218.html"
          },
          {
            "name": "http://rhn.redhat.com/errata/RHSA-2013-1219.html",
            "refsource": "MISC",
            "url": "http://rhn.redhat.com/errata/RHSA-2013-1219.html"
          },
          {
            "name": "http://rhn.redhat.com/errata/RHSA-2013-1220.html",
            "refsource": "MISC",
            "url": "http://rhn.redhat.com/errata/RHSA-2013-1220.html"
          },
          {
            "name": "http://rhn.redhat.com/errata/RHSA-2013-1375.html",
            "refsource": "MISC",
            "url": "http://rhn.redhat.com/errata/RHSA-2013-1375.html"
          },
          {
            "name": "http://rhn.redhat.com/errata/RHSA-2013-1853.html",
            "refsource": "MISC",
            "url": "http://rhn.redhat.com/errata/RHSA-2013-1853.html"
          },
          {
            "name": "http://rhn.redhat.com/errata/RHSA-2014-0212.html",
            "refsource": "MISC",
            "url": "http://rhn.redhat.com/errata/RHSA-2014-0212.html"
          },
          {
            "name": "http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc",
            "refsource": "MISC",
            "url": "http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc"
          },
          {
            "name": "http://seclists.org/fulldisclosure/2014/Dec/23",
            "refsource": "MISC",
            "url": "http://seclists.org/fulldisclosure/2014/Dec/23"
          },
          {
            "name": "http://secunia.com/advisories/54019",
            "refsource": "MISC",
            "url": "http://secunia.com/advisories/54019"
          },
          {
            "name": "http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876\u0026r2=1493772\u0026pathrev=1493772\u0026diff_format=h",
            "refsource": "MISC",
            "url": "http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876\u0026r2=1493772\u0026pathrev=1493772\u0026diff_format=h"
          },
          {
            "name": "http://www.debian.org/security/2014/dsa-3065",
            "refsource": "MISC",
            "url": "http://www.debian.org/security/2014/dsa-3065"
          },
          {
            "name": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html",
            "refsource": "MISC",
            "url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html"
          },
          {
            "name": "http://www.osvdb.org/94651",
            "refsource": "MISC",
            "url": "http://www.osvdb.org/94651"
          },
          {
            "name": "http://www.securityfocus.com/archive/1/534161/100/0/threaded",
            "refsource": "MISC",
            "url": "http://www.securityfocus.com/archive/1/534161/100/0/threaded"
          },
          {
            "name": "http://www.securityfocus.com/bid/60846",
            "refsource": "MISC",
            "url": "http://www.securityfocus.com/bid/60846"
          },
          {
            "name": "http://www.ubuntu.com/usn/USN-2028-1",
            "refsource": "MISC",
            "url": "http://www.ubuntu.com/usn/USN-2028-1"
          },
          {
            "name": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html",
            "refsource": "MISC",
            "url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "[1.4-alpha0,1.4.7],[1.5-alpha0,1.5.4]",
          "affected_versions": "All versions starting from 1.4-alpha0 up to 1.4.7, all versions starting from 1.5-alpha0 up to 1.5.4",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-310",
            "CWE-937"
          ],
          "date": "2018-10-09",
          "description": "`jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java` in this package allows context-dependent attackers to spoof an XML Signature by using the `CanonicalizationMethod` parameter to specify an arbitrary weak \"canonicalization algorithm to apply to the `SignedInfo` part of the Signature.\"",
          "fixed_versions": [
            "1.4.8",
            "1.5.5"
          ],
          "identifier": "CVE-2013-2172",
          "identifiers": [
            "CVE-2013-2172"
          ],
          "not_impacted": "All versions before 1.4-alpha0, all versions after 1.4.7 before 1.5-alpha0, all versions after 1.5.4",
          "package_slug": "maven/org.apache.santuario/xmlsec",
          "pubdate": "2013-08-20",
          "solution": "Upgrade to versions 1.4.8, 1.5.5 or above.",
          "title": "XML signature spoofing",
          "urls": [
            "http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc",
            "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2172"
          ],
          "uuid": "13c028d1-85b4-495f-8880-12f58d86b83d"
        },
        {
          "affected_range": "[1.4,1.4.7],[1.5,1.5.4]",
          "affected_versions": "All versions starting from 1.4 up to 1.4.7, all versions starting from 1.5 up to 1.5.4",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-310",
            "CWE-937"
          ],
          "date": "2018-10-09",
          "description": "Attackers could spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak canonicalization algorithm to apply to the `SignedInfo` part of the Signature.",
          "fixed_versions": [
            "1.4.8",
            "1.5.5"
          ],
          "identifier": "CVE-2013-2172",
          "identifiers": [
            "CVE-2013-2172"
          ],
          "not_impacted": "All versions before 1.4, all versions after 1.4.7 before 1.5, all versions after 1.5.4",
          "package_slug": "maven/xml-security/xmlsec",
          "pubdate": "2013-08-20",
          "solution": "Upgrade to versions 1.4.8, 1.5.5 or above.",
          "title": "Cryptographic Issues",
          "urls": [
            "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2172",
            "http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc"
          ],
          "uuid": "61590481-bdc1-46bd-b177-71dc5fa1749e"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2013-2172"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak \"canonicalization algorithm to apply to the SignedInfo part of the Signature.\""
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-310"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "94651",
              "refsource": "OSVDB",
              "tags": [],
              "url": "http://www.osvdb.org/94651"
            },
            {
              "name": "http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc"
            },
            {
              "name": "54019",
              "refsource": "SECUNIA",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://secunia.com/advisories/54019"
            },
            {
              "name": "http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876\u0026r2=1493772\u0026pathrev=1493772\u0026diff_format=h",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876\u0026r2=1493772\u0026pathrev=1493772\u0026diff_format=h"
            },
            {
              "name": "RHSA-2013:1217",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://rhn.redhat.com/errata/RHSA-2013-1217.html"
            },
            {
              "name": "RHSA-2013:1218",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://rhn.redhat.com/errata/RHSA-2013-1218.html"
            },
            {
              "name": "RHSA-2013:1220",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://rhn.redhat.com/errata/RHSA-2013-1220.html"
            },
            {
              "name": "RHSA-2013:1219",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://rhn.redhat.com/errata/RHSA-2013-1219.html"
            },
            {
              "name": "RHSA-2013:1208",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://rhn.redhat.com/errata/RHSA-2013-1208.html"
            },
            {
              "name": "RHSA-2013:1209",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://rhn.redhat.com/errata/RHSA-2013-1209.html"
            },
            {
              "name": "RHSA-2013:1207",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://rhn.redhat.com/errata/RHSA-2013-1207.html"
            },
            {
              "name": "RHSA-2013:1375",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://rhn.redhat.com/errata/RHSA-2013-1375.html"
            },
            {
              "name": "RHSA-2013:1437",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://rhn.redhat.com/errata/RHSA-2013-1437.html"
            },
            {
              "name": "RHSA-2013:1853",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://rhn.redhat.com/errata/RHSA-2013-1853.html"
            },
            {
              "name": "RHSA-2014:0212",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://rhn.redhat.com/errata/RHSA-2014-0212.html"
            },
            {
              "name": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html"
            },
            {
              "name": "DSA-3065",
              "refsource": "DEBIAN",
              "tags": [],
              "url": "http://www.debian.org/security/2014/dsa-3065"
            },
            {
              "name": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html"
            },
            {
              "name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities",
              "refsource": "FULLDISC",
              "tags": [],
              "url": "http://seclists.org/fulldisclosure/2014/Dec/23"
            },
            {
              "name": "60846",
              "refsource": "BID",
              "tags": [],
              "url": "http://www.securityfocus.com/bid/60846"
            },
            {
              "name": "USN-2028-1",
              "refsource": "UBUNTU",
              "tags": [],
              "url": "http://www.ubuntu.com/usn/USN-2028-1"
            },
            {
              "name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities",
              "refsource": "BUGTRAQ",
              "tags": [],
              "url": "http://www.securityfocus.com/archive/1/534161/100/0/threaded"
            },
            {
              "name": "https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E",
              "refsource": "MISC",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E"
            },
            {
              "name": "https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E",
              "refsource": "MISC",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2023-04-18T19:06Z",
      "publishedDate": "2013-08-20T22:55Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2013-2172 (GCVE-0-2013-2172)

CVE-2013-2172

CERTA-2013-AVI-575

Solution

FKIE_CVE-2013-2172

GHSA-R237-W2W6-JQ3P

GSD-2013-2172

Tags

Sightings

Nomenclature