CVE-2013-2172 – Java: XML signature spoofing

https://notcve.org/view.php?id=CVE-2013-2172

jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature." jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java en Apache Santuario XML Security para Java 1.4.x anterior a 1.4.8 y 1.5.x anterior a 1.5.5 , permite a atacantes dependientes del contexto suplantar una firma XML utilizando el parámetro "CanonicalizationMethod" para especificar la debilidad arbitraria: "canonización del algoritmo a aplicar para la parte SignedInfo de la firma". A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially crafted XML signature block. • http://rhn.redhat.com/errata/RHSA-2013-1207.html http://rhn.redhat.com/errata/RHSA-2013-1208.html http://rhn.redhat.com/errata/RHSA-2013-1209.html http://rhn.redhat.com/errata/RHSA-2013-1217.html http://rhn.redhat.com/errata/RHSA-2013-1218.html http://rhn.redhat.com/errata/RHSA-2013-1219.html http://rhn.redhat.com/errata/RHSA-2013-1220.html http://rhn.redhat.com/errata/RHSA-2013-1375.html http://rhn.redhat.com/errata/RHSA-2013-1437.html http://rhn • CWE-290: Authentication Bypass by Spoofing CWE-310: Cryptographic Issues •