All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
History
07 Nov 2023, 03:38
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
18 Aug 2023, 14:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
28 Apr 2023, 18:27
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:apache:santuario_xml_security_for_java:*:*:*:*:*:*:*:* | |
First Time |
Apache santuario Xml Security For Java
|
05 Oct 2022, 02:06
Type | Values Removed | Values Added |
---|---|---|
References | (N/A) https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory | |
First Time |
Oracle flexcube Private Banking
Oracle communications Diameter Intelligence Hub Oracle commerce Platform Oracle commerce Guided Search Oracle retail Integration Bus Oracle retail Bulk Data Integration Oracle retail Merchandising System Oracle agile Plm Oracle retail Service Backbone Oracle weblogic Server Oracle Oracle communications Messaging Server Oracle retail Financial Integration Oracle peoplesoft Enterprise Peopletools Oracle outside In Technology |
|
CPE | cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_service_backbone:19.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_financial_integration:19.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_merchandising_system:19.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_integration_bus:19.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_intelligence_hub:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_service_backbone:16.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_service_backbone:14.1.3.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_bulk_data_integration:16.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:commerce_platform:11.3.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_service_backbone:15.0.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:outside_in_technology:8.5.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_financial_integration:15.0.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_financial_integration:16.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_financial_integration:14.1.3.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_integration_bus:14.1.3.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_integration_bus:16.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_integration_bus:15.0.3.1:*:*:*:*:*:*:* |
25 Jul 2022, 18:16
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Apr 2022, 00:16
Type | Values Removed | Values Added |
---|---|---|
References |
|
03 Dec 2021, 02:50
Type | Values Removed | Values Added |
---|---|---|
References | (MLIST) https://lists.apache.org/thread.html/rbbbac0759b12472abd0c278d32b5e0867bb21934df8e14e5e641597c@%3Ccommits.tomee.apache.org%3E - Mailing List, Third Party Advisory | |
References | (DEBIAN) https://www.debian.org/security/2021/dsa-5010 - Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r401ecb7274794f040cd757b259ebe3e8c463ae74f7961209ccad3c59@%3Cissues.cxf.apache.org%3E - Mailing List, Third Party Advisory | |
CPE | cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* cpe:2.3:a:apache:cxf:3.4.4:*:*:*:*:*:*:* |
16 Nov 2021, 12:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
28 Oct 2021, 10:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
27 Oct 2021, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
01 Oct 2021, 16:08
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 5.0
v3 : 7.5 |
References | (MISC) https://lists.apache.org/thread.html/r8848751b6a5dd78cc9e99d627e74fecfaffdfa1bb615dce827aad633%40%3Cdev.santuario.apache.org%3E - Issue Tracking, Mailing List, Patch, Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r9c100d53c84d54cf71975e3f0cfcc2856a8846554a04c99390156ce4@%3Ccommits.tomee.apache.org%3E - Issue Tracking, Mailing List, Patch, Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/re294cfc61f509512874ea514d8d64fd276253d54ac378ffa7a4880c8@%3Ccommits.tomee.apache.org%3E - Issue Tracking, Mailing List, Patch, Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/raf352f95c19c0c4051af3180752cb69acbea88d0d066ab176c6170e8@%3Cuser.poi.apache.org%3E - Exploit, Issue Tracking, Mailing List, Patch, Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r3b3f5ba9b0de8c9c125077b71af06026d344a709a8ba67db81ee9faa@%3Ccommits.tomee.apache.org%3E - Exploit, Issue Tracking, Mailing List, Patch, Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r8a5c0ce9014bd07303aec1e5eed55951704878016465d3dae00e0c28@%3Ccommits.tomee.apache.org%3E - Issue Tracking, Mailing List, Patch, Third Party Advisory | |
References | (MLIST) https://lists.debian.org/debian-lts-announce/2021/09/msg00015.html - Mailing List, Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/rbdac116aef912b563da54f4c152222c0754e32fb2f785519ac5e059f@%3Ccommits.tomee.apache.org%3E - Issue Tracking, Mailing List, Patch, Third Party Advisory | |
CWE | CWE-200 | |
CPE | cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* cpe:2.3:a:apache:xml_security_for_java:*:*:*:*:*:*:*:* cpe:2.3:a:apache:tomee:*:*:*:*:*:*:*:* |
27 Sep 2021, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
23 Sep 2021, 19:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
23 Sep 2021, 10:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
22 Sep 2021, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
19 Sep 2021, 18:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-09-19 18:15
Updated : 2023-12-10 14:09
NVD link : CVE-2021-40690
Mitre link : CVE-2021-40690
CVE.ORG link : CVE-2021-40690
JSON object : View
Products Affected
oracle
- commerce_platform
- flexcube_private_banking
- agile_plm
- outside_in_technology
- retail_service_backbone
- commerce_guided_search
- communications_diameter_intelligence_hub
- retail_bulk_data_integration
- weblogic_server
- communications_messaging_server
- retail_financial_integration
- peoplesoft_enterprise_peopletools
- retail_integration_bus
- retail_merchandising_system
apache
- santuario_xml_security_for_java
- tomee
- cxf
debian
- debian_linux
CWE
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor