FKIE_CVE-2013-2172
Vulnerability from fkie_nvd - Published: 2013-08-20 22:55 - Updated: 2025-04-11 00:51
Severity ?
Summary
jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | santuario_xml_security_for_java | 1.4.7 | |
| apache | santuario_xml_security_for_java | 1.5.0 | |
| apache | santuario_xml_security_for_java | 1.5.1 | |
| apache | santuario_xml_security_for_java | 1.5.2 | |
| apache | santuario_xml_security_for_java | 1.5.3 | |
| apache | santuario_xml_security_for_java | 1.5.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "3DB7492B-1D95-48D0-9892-C8A47FD15414",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7D8837A5-0840-44D3-BD7D-335611BDF64D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FD0057FF-4F75-4F35-BD15-1093D22AFE04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C65E4B50-5F5C-4F04-8CF8-4D1CCA2BF427",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5889CDAF-4F5A-42D9-A6CE-7F7A4222ECB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EDD00EBA-1B65-4245-9A3D-D389830450BB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak \"canonicalization algorithm to apply to the SignedInfo part of the Signature.\""
},
{
"lang": "es",
"value": "jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java en Apache Santuario XML Security para Java 1.4.x anterior a 1.4.8 y 1.5.x anterior a 1.5.5 , permite a atacantes dependientes del contexto suplantar una firma XML utilizando el par\u00e1metro \"CanonicalizationMethod\" para especificar la debilidad arbitraria: \"canonizaci\u00f3n del algoritmo a aplicar para la parte SignedInfo de la firma\"."
}
],
"id": "CVE-2013-2172",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-08-20T22:55:04.093",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1207.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1208.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1209.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1217.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1218.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1219.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1220.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1375.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1437.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1853.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0212.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc"
},
{
"source": "secalert@redhat.com",
"url": "http://seclists.org/fulldisclosure/2014/Dec/23"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/54019"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876\u0026r2=1493772\u0026pathrev=1493772\u0026diff_format=h"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2014/dsa-3065"
},
{
"source": "secalert@redhat.com",
"url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.osvdb.org/94651"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/534161/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/60846"
},
{
"source": "secalert@redhat.com",
"url": "http://www.ubuntu.com/usn/USN-2028-1"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1207.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1208.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1209.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1217.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1218.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1219.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1220.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1375.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1437.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1853.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0212.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2014/Dec/23"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/54019"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876\u0026r2=1493772\u0026pathrev=1493772\u0026diff_format=h"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2014/dsa-3065"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/94651"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/534161/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/60846"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/USN-2028-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-310"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…