4 results (0.015 seconds)

CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0

CVE-2023-44483 – Apache Santuario: Private Key disclosure in debug-log output

https://notcve.org/view.php?id=CVE-2023-44483

All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue. Todas las versiones de Apache Santuario - XML Security para Java anteriores a 2.2.6, 2.3.4 y 3.0.3, cuando utilizan la API JSR 105, son vulnerables a un problema en el que se puede revelar una clave privada en los archivos de registro al generar un La firma XML y el registro con nivel de depuración están habilitados. Se recomienda a los usuarios actualizar a la versión 2.2.6, 2.3.4 o 3.0.3, que soluciona este problema. All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled.  • http://www.openwall.com/lists/oss-security/2023/10/20/5 https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55 https://access.redhat.com/security/cve/CVE-2023-44483 https://bugzilla.redhat.com/show_bug.cgi?id=2246070 • CWE-532: Insertion of Sensitive Information into Log File •

CVSS: 7.5EPSS: 0%CPEs: 34EXPL: 0

CVE-2021-40690 – Bypass of the secureValidation property

https://notcve.org/view.php?id=CVE-2021-40690

All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element. Todas las versiones de Apache Santuario - XML Security for Java anteriores a 2.2.3 y 2.1.7 son vulnerables a un problema donde la propiedad "secureValidation" no es pasada correctamente cuando es creado un KeyInfo a partir de un elemento KeyInfoReference. Esto permite a un atacante abusar de una transformación XPath para extraer cualquier archivo local .xml en un elemento RetrievalMethod • https://lists.apache.org/thread.html/r3b3f5ba9b0de8c9c125077b71af06026d344a709a8ba67db81ee9faa%40%3Ccommits.tomee.apache.org%3E https://lists.apache.org/thread.html/r401ecb7274794f040cd757b259ebe3e8c463ae74f7961209ccad3c59%40%3Cissues.cxf.apache.org%3E https://lists.apache.org/thread.html/r8848751b6a5dd78cc9e99d627e74fecfaffdfa1bb615dce827aad633%40%3Cdev.santuario.apache.org%3E https://lists.apache.org/thread.html/r8a5c0ce9014bd07303aec1e5eed55951704878016465d3dae00e0c28%40%3Ccommits.tomee.apache.org%3E https://lists.apache.org/thread.html/r9c100d53c84d54cf71975e3f0cfcc2856a8846554a04c99390156ce4% • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 5.0EPSS: 7%CPEs: 18EXPL: 0

CVE-2013-4517 – Java: Java XML Signature DoS Attack

https://notcve.org/view.php?id=CVE-2013-4517

Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures. Apache Santuario XML Security para Java anteriores a 1.5.6, cuando se aplican Transforms, permite a atacantes remotos causar una denegación de servicio (consumo de memoria) a través de Document Type Definitions (DTDs) manipulados, relacionado con firmas. It was discovered that the Apache Santuario XML Security for Java project allowed Document Type Definitions (DTDs) to be processed when applying Transforms even when secure validation was enabled. A remote attacker could use this flaw to exhaust all available memory on the system, causing a denial of service. • http://osvdb.org/101169 http://packetstormsecurity.com/files/124554/Java-XML-Signature-Denial-Of-Service-Attack.html http://rhn.redhat.com/errata/RHSA-2014-0170.html http://rhn.redhat.com/errata/RHSA-2014-0171.html http://rhn.redhat.com/errata/RHSA-2014-0172.html http://rhn.redhat.com/errata/RHSA-2014-0195.html http://rhn.redhat.com/errata/RHSA-2014-1725.html http://rhn.redhat.com/errata/RHSA-2014-1726.html http://rhn.redhat.com/errata/RHSA-2014-1727.html http:&#x • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •

CVSS: 5.8EPSS: 0%CPEs: 6EXPL: 0

CVE-2013-2172 – Java: XML signature spoofing

https://notcve.org/view.php?id=CVE-2013-2172

jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature." jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java en Apache Santuario XML Security para Java 1.4.x anterior a 1.4.8 y 1.5.x anterior a 1.5.5 , permite a atacantes dependientes del contexto suplantar una firma XML utilizando el parámetro "CanonicalizationMethod" para especificar la debilidad arbitraria: "canonización del algoritmo a aplicar para la parte SignedInfo de la firma". A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially crafted XML signature block. • http://rhn.redhat.com/errata/RHSA-2013-1207.html http://rhn.redhat.com/errata/RHSA-2013-1208.html http://rhn.redhat.com/errata/RHSA-2013-1209.html http://rhn.redhat.com/errata/RHSA-2013-1217.html http://rhn.redhat.com/errata/RHSA-2013-1218.html http://rhn.redhat.com/errata/RHSA-2013-1219.html http://rhn.redhat.com/errata/RHSA-2013-1220.html http://rhn.redhat.com/errata/RHSA-2013-1375.html http://rhn.redhat.com/errata/RHSA-2013-1437.html http://rhn • CWE-290: Authentication Bypass by Spoofing CWE-310: Cryptographic Issues •