CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-44483 – Apache Santuario: Private Key disclosure in debug-log output
https://notcve.org/view.php?id=CVE-2023-44483
20 Oct 2023 — All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue. Todas las versiones de Apache Santuario - XML Security para Java anteriores a 2.2.6, 2.3.4 y 3.0.3, cuando utilizan la API JSR 105, son vulnerables a ... • http://www.openwall.com/lists/oss-security/2023/10/20/5 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.5EPSS: 0%CPEs: 34EXPL: 0CVE-2021-40690 – Bypass of the secureValidation property
https://notcve.org/view.php?id=CVE-2021-40690
19 Sep 2021 — All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element. Todas las versiones de Apache Santuario - XML Security for Java anteriores a 2.2.3 y 2.1.7 son vulnerables a un problema donde la propiedad "secureValidation" no es pasad... • https://lists.apache.org/thread.html/r3b3f5ba9b0de8c9c125077b71af06026d344a709a8ba67db81ee9faa%40%3Ccommits.tomee.apache.org%3E • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.9EPSS: 0%CPEs: 5EXPL: 0CVE-2019-12400 – xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source
https://notcve.org/view.php?id=CVE-2019-12400
23 Aug 2019 — In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santuario - XML Se... • http://santuario.apache.org/secadv.data/CVE-2019-12400.asc?version=1&modificationDate=1566573083000&api=v2 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 3%CPEs: 3EXPL: 0CVE-2014-8152
https://notcve.org/view.php?id=CVE-2014-8152
21 Jan 2015 — Apache Santuario XML Security for Java 2.0.x before 2.0.3 allows remote attackers to bypass the streaming XML signature protection mechanism via a crafted XML document. Apache Santuario XML Security for Java 2.0.x anterior a 2.0.3 permite a atacantes remotos evadir el mecanismo de protección de firmas de transmisión XML a través de un documento XML manipulado. • http://santuario.apache.org/secadv.data/CVE-2014-8152.txt.asc • CWE-254: 7PK - Security Features •
CVSS: 5.0EPSS: 16%CPEs: 18EXPL: 0CVE-2013-4517 – Java: Java XML Signature DoS Attack
https://notcve.org/view.php?id=CVE-2013-4517
20 Dec 2013 — Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures. Apache Santuario XML Security para Java anteriores a 1.5.6, cuando se aplican Transforms, permite a atacantes remotos causar una denegación de servicio (consumo de memoria) a través de Document Type Definitions (DTDs) manipulados, relacionado con firmas. It was discovered that the Apache S... • http://osvdb.org/101169 • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.8EPSS: 5%CPEs: 6EXPL: 0CVE-2013-2172 – Java: XML signature spoofing
https://notcve.org/view.php?id=CVE-2013-2172
20 Aug 2013 — jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature." jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java en Apache Santuario XML Security para Java 1.4.x anterior a 1.4.8 y 1.5.x anterior a 1.5.5 , permit... • http://rhn.redhat.com/errata/RHSA-2013-1207.html • CWE-290: Authentication Bypass by Spoofing CWE-310: Cryptographic Issues •