CVE-2021-40690
Description
All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the secureValidation property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.
Risk Information
Base Score
7.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score
Exploitation Probability
0.378
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Multiple vulnerabilities are affected in Oracle WebLogic Server 12.2.1.4.0 | Windows |
| Multiple vulnerabilities are affected in Oracle WebLogic Server 14.1.1.0.0 | Windows |
| Vulnerabilities CVE-2021-40690 are fixed in Apache - xmlsec 2.2.3 | Windows |
| Vulnerabilities CVE-2021-40690 are fixed in Apache - xmlsec 2.1.7 | Windows |
| Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.2.0.0 | Windows |
| Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.58 | Windows |
| Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.59 | Windows |
| Multiple vulnerabilities are affected in Oracle Commerce Platform 11.3.2 | Windows |
| Vulnerabilities CVE-2021-40690,CVE-2022-21590,CVE-2022-25647 are affected in Oracle BI Publisher 5.9.0.0 | Windows |
| Multiple vulnerabilities are affected in Oracle BI Publisher 6.4.0.0.0 | Windows |
| Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.1.2.3 | Windows |
| Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.0.3.9 | Windows |
| libxml-security-java security update(DSA-5010-1) libxml-security-java_2.0.10-2+deb10u1_all.deb | Linux |
| libxml-security-java security update(DSA-5010-1) libxml-security-java_2.0.10-2+deb11u1_all.deb | Linux |
| Apache XML Security for Java (USN-5525-1) libxml-security-java_2.0.10-2~18.04.1_all.deb | Linux |
| Apache XML Security for Java (USN-5525-1) libxml-security-java_2.0.10-2+deb11u1build0.20.04.1_all.deb | Linux |
| Vulnerabilities CVE-2021-40690 are fixed in Apache - xmlsec for Linux 2.2.3 | Linux |
| Vulnerabilities CVE-2021-40690 are fixed in Apache - xmlsec for Linux 2.1.7 | Linux |
| CVE-2021-40690 | NCM |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234