XML signature spoofing Affecting org.apache.santuario:xmlsec package, versions [1.4.0,1.4.8) [1.5.0,1.5.5)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
21 Aug 2013
20 Aug 2013
How to fix?
org.apache.santuario:xmlsec to version 1.4.8, 1.5.5 or higher.
org.apache.santuario:xmlsec is a package to provide implementation of the primary security standards for XML, XML-Signature Syntax and Processing and XML Encryption Syntax and Processing.
Affected versions of this package are vulnerable to XML signature spoofing. The class
jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."