CVE-2013-4517: Input Validation
First published: Fri Dec 20 2013(Updated: )
Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/xml-security | <1.5.6 | 1.5.6 |
| maven/org.apache.santuario:xmlsec | <1.5.6 | 1.5.6 |
| Apache Santuario | <=1.5.5 | |
| Apache Santuario | =1.2.0 | |
| Apache Santuario | =1.2.1 | |
| Apache Santuario | =1.3.0 | |
| Apache Santuario | =1.4.0 | |
| Apache Santuario | =1.4.1 | |
| Apache Santuario | =1.4.2 | |
| Apache Santuario | =1.4.3 | |
| Apache Santuario | =1.4.4 | |
| Apache Santuario | =1.4.5 | |
| Apache Santuario | =1.4.6 | |
| Apache Santuario | =1.4.7 | |
| Apache Santuario | =1.4.8 | |
| Apache Santuario | =1.5.0 | |
| Apache Santuario | =1.5.1 | |
| Apache Santuario | =1.5.2 | |
| Apache Santuario | =1.5.3 | |
| Apache Santuario | =1.5.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://cwiki.apache.org/confluence/download/attachments/27821224/cve-2013-4517.txt.asc
- http://svn.apache.org/viewvc?view=revision&revision=1537956
- http://coheigea.blogspot.com.au/2013/12/security-advisory-cve-2013-4517-released.html
- https://rhn.redhat.com/errata/RHSA-2014-0172.html
- https://rhn.redhat.com/errata/RHSA-2014-0171.html
- https://rhn.redhat.com/errata/RHSA-2014-0170.html
- https://rhn.redhat.com/errata/RHSA-2014-0195.html
- https://rhn.redhat.com/errata/RHSA-2014-0400.html
- https://rhn.redhat.com/errata/RHSA-2014-0473.html
- https://rhn.redhat.com/errata/RHSA-2014-0582.html
- https://access.redhat.com/support/policy/updates/fusesource/
- https://access.redhat.com/support/policy/updates/jboss_notes/
- https://github.com/victims/victims-cve-db/blob/master/database/java/2013/4517.yaml
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1157992
- https://rhn.redhat.com/errata/RHSA-2014-1725.html
- https://rhn.redhat.com/errata/RHSA-2014-1728.html
- https://rhn.redhat.com/errata/RHSA-2014-1727.html
- https://rhn.redhat.com/errata/RHSA-2014-1726.html
- https://rhn.redhat.com/errata/RHSA-2015-0675.html
- https://rhn.redhat.com/errata/RHSA-2015-0851.html
- https://rhn.redhat.com/errata/RHSA-2015-0850.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1045257
- http://osvdb.org/101169
- http://packetstormsecurity.com/files/124554/Java-XML-Signature-Denial-Of-Service-Attack.html
- http://rhn.redhat.com/errata/RHSA-2014-0170.html
- http://rhn.redhat.com/errata/RHSA-2014-0171.html
- http://rhn.redhat.com/errata/RHSA-2014-0172.html
- http://rhn.redhat.com/errata/RHSA-2014-0195.html
- http://rhn.redhat.com/errata/RHSA-2014-1725.html
- http://rhn.redhat.com/errata/RHSA-2014-1726.html
- http://rhn.redhat.com/errata/RHSA-2014-1727.html
- http://rhn.redhat.com/errata/RHSA-2014-1728.html
- http://rhn.redhat.com/errata/RHSA-2015-0675.html
- http://rhn.redhat.com/errata/RHSA-2015-0850.html
- http://rhn.redhat.com/errata/RHSA-2015-0851.html
- http://santuario.apache.org/secadv.data/cve-2013-4517.txt.asc
- http://seclists.org/fulldisclosure/2013/Dec/169
- http://secunia.com/advisories/55639
- http://www.securityfocus.com/bid/64437
- http://www.securitytracker.com/id/1029524
- https://exchange.xforce.ibmcloud.com/vulnerabilities/89891
- https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3@%3Ccommits.santuario.apache.org%3E
- https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd@%3Ccommits.santuario.apache.org%3E
- https://www.tenable.com/security/tns-2018-15
- https://nvd.nist.gov/vuln/detail/CVE-2013-4517
- https://github.com/apache/santuario-java/commit/a09b9042f7759d094f2d49f40fc7bcf145164b25
- https://github.com/advisories/GHSA-4p4w-6h54-g885 (Advisory)
- https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E
- https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E
Frequently Asked Questions
What is the severity of CVE-2013-4517?
CVE-2013-4517 is classified as a denial-of-service vulnerability, allowing attackers to cause memory consumption issues.
How do I fix CVE-2013-4517?
To fix CVE-2013-4517, upgrade to Apache Santuario XML Security for Java version 1.5.6 or later.
What software is affected by CVE-2013-4517?
CVE-2013-4517 affects Apache Santuario XML Security for Java versions prior to 1.5.6.
How does CVE-2013-4517 exploit work?
CVE-2013-4517 exploits vulnerabilities in the handling of crafted Document Type Definitions (DTDs) during Transforms.
Can CVE-2013-4517 be detected?
Detection of CVE-2013-4517 may require monitoring for unusual memory usage patterns in applications using affected versions.
- collector/redhat-bugzilla
- alias/CVE-2013-4517
- agent/author
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-4p4w-6h54-g885
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- agent/description
- collector/github-advisory
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/tags
- agent/softwarecombine
- agent/source
- package-manager/redhat
- package-manager/maven
- vendor/apache
- canonical/apache santuario
- version/apache santuario/1.5.5
- version/apache santuario/1.2.0
- version/apache santuario/1.2.1
- version/apache santuario/1.3.0
- version/apache santuario/1.4.0
- version/apache santuario/1.4.1
- version/apache santuario/1.4.2
- version/apache santuario/1.4.3
- version/apache santuario/1.4.4
- version/apache santuario/1.4.5
- version/apache santuario/1.4.6
- version/apache santuario/1.4.7
- version/apache santuario/1.4.8
- version/apache santuario/1.5.0
- version/apache santuario/1.5.1
- version/apache santuario/1.5.2
- version/apache santuario/1.5.3
- version/apache santuario/1.5.4