org.apache.santuario:xmlsec@1.4.2 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.santuario:xmlsec package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Insertion of Sensitive Information into Log File

org.apache.santuario:xmlsec is a package to provide implementation of the primary security standards for XML, XML-Signature Syntax and Processing and XML Encryption Syntax and Processing.

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File when using the JSR 105 API. An attacker can disclose a private key in log files by generating an XML Signature and enabling logging with debug level.

How to fix Insertion of Sensitive Information into Log File?

Upgrade org.apache.santuario:xmlsec to version 2.2.6, 2.3.4, 3.0.3 or higher.

[,2.2.6) [2.3.0,2.3.4) [3.0.0,3.0.3)
  • M
Improper Input Validation

org.apache.santuario:xmlsec is a package to provide implementation of the primary security standards for XML, XML-Signature Syntax and Processing and XML Encryption Syntax and Processing.

Affected versions of this package are vulnerable to Improper Input Validation due to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

How to fix Improper Input Validation?

Upgrade org.apache.santuario:xmlsec to version 2.2.3, 2.1.7 or higher.

[2.2.0,2.2.3) [,2.1.7)
  • M
Denial of Service (DoS)

org.apache.santuario:xmlsec is an package to provide implementation of the primary security standards for XML, XML-Signature Syntax and Processing and XML Encryption Syntax and Processing.

Affected versions of this package are vulnerable to Denial of Service (DoS). When applying Transforms, it allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures.

How to fix Denial of Service (DoS)?

Upgrade org.apache.santuario:xmlsec to version 1.5.6 or higher.

[,1.5.6)
  • M
Denial of Service (DoS)

org.apache.santuario:xmlsec Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect availability via unknown vectors related to Security.

[1.4.0,1.4.8) [1.5.0,1.5.3)
  • M
XML signature spoofing

org.apache.santuario:xmlsec is a package to provide implementation of the primary security standards for XML, XML-Signature Syntax and Processing and XML Encryption Syntax and Processing.

Affected versions of this package are vulnerable to XML signature spoofing. The class DOMCanonicalizationMethod within jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."

How to fix XML signature spoofing?

Upgrade org.apache.santuario:xmlsec to version 1.4.8, 1.5.5 or higher.

[1.4.0,1.4.8) [1.5.0,1.5.5)
  • M
Authentication Bypass

org.apache.santuario:xmlsec The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.

[1.4.0,1.4.2]