CVE-2013-2172
First published: Tue Aug 20 2013(Updated: )
`jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java` in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.santuario:xmlsec | >=1.5.0<1.5.5 | 1.5.5 |
| maven/org.apache.santuario:xmlsec | >=1.4.0<1.4.8 | 1.4.8 |
| Apache Santuario | =1.4.7 | |
| Apache Santuario | =1.5.0 | |
| Apache Santuario | =1.5.1 | |
| Apache Santuario | =1.5.2 | |
| Apache Santuario | =1.5.3 | |
| Apache Santuario | =1.5.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2013-2172
- https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3@%3Ccommits.santuario.apache.org%3E
- https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd@%3Ccommits.santuario.apache.org%3E
- http://rhn.redhat.com/errata/RHSA-2013-1207.html
- http://rhn.redhat.com/errata/RHSA-2013-1208.html
- http://rhn.redhat.com/errata/RHSA-2013-1209.html
- http://rhn.redhat.com/errata/RHSA-2013-1217.html
- http://rhn.redhat.com/errata/RHSA-2013-1218.html
- http://rhn.redhat.com/errata/RHSA-2013-1219.html
- http://rhn.redhat.com/errata/RHSA-2013-1220.html
- http://rhn.redhat.com/errata/RHSA-2013-1375.html
- http://rhn.redhat.com/errata/RHSA-2013-1437.html
- http://rhn.redhat.com/errata/RHSA-2013-1853.html
- http://rhn.redhat.com/errata/RHSA-2014-0212.html
- http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc
- http://seclists.org/fulldisclosure/2014/Dec/23
- http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876&r2=1493772&pathrev=1493772&diff_format=h
- http://www.debian.org/security/2014/dsa-3065
- http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
- http://www.ubuntu.com/usn/USN-2028-1
- http://www.vmware.com/security/advisories/VMSA-2014-0012.html
- https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E
- https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E
- https://web.archive.org/web/20160317145515/http://www.securityfocus.com/archive/1/534161/100/0/threaded
- https://web.archive.org/web/20200228060314/http://www.securityfocus.com/bid/60846
- https://github.com/advisories/GHSA-r237-w2w6-jq3p (Advisory)
- http://svn.apache.org/viewvc?view=revision&revision=1493772
- https://rhn.redhat.com/errata/RHSA-2013-1209.html
- https://rhn.redhat.com/errata/RHSA-2013-1208.html
- https://rhn.redhat.com/errata/RHSA-2013-1207.html
- https://rhn.redhat.com/errata/RHSA-2013-1220.html
- https://rhn.redhat.com/errata/RHSA-2013-1219.html
- https://rhn.redhat.com/errata/RHSA-2013-1218.html
- https://rhn.redhat.com/errata/RHSA-2013-1217.html
- https://rhn.redhat.com/errata/RHSA-2013-1375.html
- https://rhn.redhat.com/errata/RHSA-2013-1437.html
- https://rhn.redhat.com/errata/RHSA-2013-1853.html
- https://rhn.redhat.com/errata/RHSA-2014-0212.html
- https://rhn.redhat.com/errata/RHSA-2014-0400.html
- https://rhn.redhat.com/errata/RHSA-2014-1369.html
- https://bugzilla.redhat.com/show_bug.cgi?id=999263
- http://secunia.com/advisories/54019
- http://www.osvdb.org/94651
- http://www.securityfocus.com/archive/1/534161/100/0/threaded
- http://www.securityfocus.com/bid/60846
- https://github.com/apache/santuario-java/commit/25e0e11493b061749f778030036cb5c406b34590
- https://github.com/apache/santuario-java/commit/8e8f8bf92a43608d7d5f9e357fae19244454a61f
Frequently Asked Questions
What is the severity of CVE-2013-2172?
CVE-2013-2172 has a severity rating that allows context-dependent attackers to spoof XML Signatures.
How do I fix CVE-2013-2172?
To fix CVE-2013-2172, upgrade to Apache Santuario XML Security for Java version 1.4.8 or 1.5.5 or later.
Which versions are affected by CVE-2013-2172?
CVE-2013-2172 affects Apache Santuario XML Security for Java versions 1.4.0 through 1.4.7 and 1.5.0 through 1.5.4.
Can CVE-2013-2172 allow an attacker to exploit a vulnerable system?
Yes, CVE-2013-2172 can enable an attacker to potentially spoof XML Signatures, leading to exploitations.
Is the vulnerability CVE-2013-2172 present in earlier versions of Apache Santuario?
Yes, the vulnerability CVE-2013-2172 is present in versions prior to 1.4.8 and 1.5.5 of Apache Santuario.
- collector/redhat-bugzilla
- alias/CVE-2013-2172
- agent/author
- agent/type
- agent/softwarecombine
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-r237-w2w6-jq3p
- agent/software-canonical-lookup
- agent/references
- agent/severity
- agent/weakness
- agent/remedy
- agent/description
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/maven
- vendor/apache
- canonical/apache santuario
- version/apache santuario/1.4.7
- version/apache santuario/1.5.0
- version/apache santuario/1.5.1
- version/apache santuario/1.5.2
- version/apache santuario/1.5.3
- version/apache santuario/1.5.4