CVE-2021-40690: Infoleak

First published: Fri Sep 17 2021(Updated: )

All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

Credit: security@apache.org security@apache.org security@apache.org

Affected Software	Affected Version	How to fix
maven/org.apache.santuario:xmlsec	<2.1.7	2.1.7
maven/org.apache.santuario:xmlsec	>=2.2.0<2.2.3	2.2.3
Apache Santuario XML Security for Java	<2.1.7
Apache Santuario XML Security for Java	>=2.2.0<2.2.3
Apache CXF	=3.4.4
Apache TomEE	<8.0.8
Debian Debian Linux	=9.0
Debian Debian Linux	=10.0
Debian Debian Linux	=11.0
Oracle Agile PLM	=9.3.6
Oracle Commerce Guided Search	=11.3.2
Oracle Commerce Platform	=11.3.2
Oracle Communications Diameter Intelligence Hub	>=8.0.0<=8.1.0
Oracle Communications Diameter Intelligence Hub	>=8.2.0<=8.2.3
Oracle Communications Messaging Server	=8.1
Oracle FLEXCUBE Private Banking	=12.1.0
Oracle Outside In Technology	=8.5.5
Oracle PeopleSoft Enterprise PeopleTools	=8.58
Oracle PeopleSoft Enterprise PeopleTools	=8.59
Oracle Retail Bulk Data Integration	=16.0.3
Oracle Retail Financial Integration	=14.1.3.2
Oracle Retail Financial Integration	=15.0.3.1
Oracle Retail Financial Integration	=16.0.3
Oracle Retail Financial Integration	=19.0.1
Oracle Retail Integration Bus	=14.1.3.2
Oracle Retail Integration Bus	=15.0.3.1
Oracle Retail Integration Bus	=16.0.3
Oracle Retail Integration Bus	=19.0.1
Oracle Retail Merchandising System	=16.0.3
Oracle Retail Merchandising System	=19.0.1
Oracle Retail Service Backbone	=14.1.3.2
Oracle Retail Service Backbone	=15.0.3.1
Oracle Retail Service Backbone	=16.0.3
Oracle Retail Service Backbone	=19.0.1
Oracle WebLogic Server	=12.2.1.4.0
Oracle WebLogic Server	=14.1.1.0.0
redhat/eap7-apache-cxf	<0:3.3.12-1.redhat_00001.1.el6ea	0:3.3.12-1.redhat_00001.1.el6ea
redhat/eap7-ironjacamar	<0:1.5.3-1.Final_redhat_00001.1.el6ea	0:1.5.3-1.Final_redhat_00001.1.el6ea
redhat/eap7-jakarta-el	<0:3.0.3-3.redhat_00007.1.el6ea	0:3.0.3-3.redhat_00007.1.el6ea
redhat/eap7-jboss-ejb-client	<0:4.0.43-1.Final_redhat_00001.1.el6ea	0:4.0.43-1.Final_redhat_00001.1.el6ea
redhat/eap7-jboss-server-migration	<0:1.7.2-10.Final_redhat_00011.1.el6ea	0:1.7.2-10.Final_redhat_00011.1.el6ea
redhat/eap7-jsoup	<0:1.14.2-1.redhat_00002.1.el6ea	0:1.14.2-1.redhat_00002.1.el6ea
redhat/eap7-resteasy	<0:3.11.5-1.Final_redhat_00001.1.el6ea	0:3.11.5-1.Final_redhat_00001.1.el6ea
redhat/eap7-undertow	<0:2.0.41-1.SP1_redhat_00001.1.el6ea	0:2.0.41-1.SP1_redhat_00001.1.el6ea
redhat/eap7-wildfly	<0:7.3.10-2.GA_redhat_00003.1.el6ea	0:7.3.10-2.GA_redhat_00003.1.el6ea
redhat/eap7-wildfly-elytron	<0:1.10.15-1.Final_redhat_00001.1.el6ea	0:1.10.15-1.Final_redhat_00001.1.el6ea
redhat/eap7-wss4j	<0:2.2.7-1.redhat_00001.1.el6ea	0:2.2.7-1.redhat_00001.1.el6ea
redhat/eap7-xml-security	<0:2.1.7-1.redhat_00001.1.el6ea	0:2.1.7-1.redhat_00001.1.el6ea
redhat/eap7-apache-cxf	<0:3.3.12-1.redhat_00001.1.el7ea	0:3.3.12-1.redhat_00001.1.el7ea
redhat/eap7-ironjacamar	<0:1.5.3-1.Final_redhat_00001.1.el7ea	0:1.5.3-1.Final_redhat_00001.1.el7ea
redhat/eap7-jakarta-el	<0:3.0.3-3.redhat_00007.1.el7ea	0:3.0.3-3.redhat_00007.1.el7ea
redhat/eap7-jboss-ejb-client	<0:4.0.43-1.Final_redhat_00001.1.el7ea	0:4.0.43-1.Final_redhat_00001.1.el7ea
redhat/eap7-jboss-server-migration	<0:1.7.2-10.Final_redhat_00011.1.el7ea	0:1.7.2-10.Final_redhat_00011.1.el7ea
redhat/eap7-jsoup	<0:1.14.2-1.redhat_00002.1.el7ea	0:1.14.2-1.redhat_00002.1.el7ea
redhat/eap7-resteasy	<0:3.11.5-1.Final_redhat_00001.1.el7ea	0:3.11.5-1.Final_redhat_00001.1.el7ea
redhat/eap7-undertow	<0:2.0.41-1.SP1_redhat_00001.1.el7ea	0:2.0.41-1.SP1_redhat_00001.1.el7ea
redhat/eap7-wildfly	<0:7.3.10-2.GA_redhat_00003.1.el7ea	0:7.3.10-2.GA_redhat_00003.1.el7ea
redhat/eap7-wildfly-elytron	<0:1.10.15-1.Final_redhat_00001.1.el7ea	0:1.10.15-1.Final_redhat_00001.1.el7ea
redhat/eap7-wss4j	<0:2.2.7-1.redhat_00001.1.el7ea	0:2.2.7-1.redhat_00001.1.el7ea
redhat/eap7-xml-security	<0:2.1.7-1.redhat_00001.1.el7ea	0:2.1.7-1.redhat_00001.1.el7ea
redhat/eap7-apache-cxf	<0:3.3.12-1.redhat_00001.1.el8ea	0:3.3.12-1.redhat_00001.1.el8ea
redhat/eap7-ironjacamar	<0:1.5.3-1.Final_redhat_00001.1.el8ea	0:1.5.3-1.Final_redhat_00001.1.el8ea
redhat/eap7-jakarta-el	<0:3.0.3-3.redhat_00007.1.el8ea	0:3.0.3-3.redhat_00007.1.el8ea
redhat/eap7-jboss-ejb-client	<0:4.0.43-1.Final_redhat_00001.1.el8ea	0:4.0.43-1.Final_redhat_00001.1.el8ea
redhat/eap7-jboss-server-migration	<0:1.7.2-10.Final_redhat_00011.1.el8ea	0:1.7.2-10.Final_redhat_00011.1.el8ea
redhat/eap7-jsoup	<0:1.14.2-1.redhat_00002.1.el8ea	0:1.14.2-1.redhat_00002.1.el8ea
redhat/eap7-resteasy	<0:3.11.5-1.Final_redhat_00001.1.el8ea	0:3.11.5-1.Final_redhat_00001.1.el8ea
redhat/eap7-undertow	<0:2.0.41-1.SP1_redhat_00001.1.el8ea	0:2.0.41-1.SP1_redhat_00001.1.el8ea
redhat/eap7-wildfly	<0:7.3.10-2.GA_redhat_00003.1.el8ea	0:7.3.10-2.GA_redhat_00003.1.el8ea
redhat/eap7-wildfly-elytron	<0:1.10.15-1.Final_redhat_00001.1.el8ea	0:1.10.15-1.Final_redhat_00001.1.el8ea
redhat/eap7-wss4j	<0:2.2.7-1.redhat_00001.1.el8ea	0:2.2.7-1.redhat_00001.1.el8ea
redhat/eap7-xml-security	<0:2.1.7-1.redhat_00001.1.el8ea	0:2.1.7-1.redhat_00001.1.el8ea
redhat/rh-sso7-keycloak	<0:15.0.4-1.redhat_00001.1.el7	0:15.0.4-1.redhat_00001.1.el7
redhat/rh-sso7-keycloak	<0:15.0.4-1.redhat_00001.1.el8	0:15.0.4-1.redhat_00001.1.el8
redhat/redhat-sso	<7-sso75-openshift-rhel8	7-sso75-openshift-rhel8
debian/libxml-security-java		2.0.10-2+deb10u1 2.0.10-2+deb11u1 2.1.7-3

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

agent/author
agent/description
agent/event
agent/first-publish-date
agent/last-modified-date
agent/references
agent/remedy
agent/severity
agent/softwarecombine
agent/tags
agent/type
agent/weakness
collector/debian-bugs
alias/CVE-2021-40690
collector/github-advisory
alias/GHSA-j8wc-gxx9-82hx
collector/github-advisory-latest
collector/nvd-api
collector/nvd-cve
collector/nvd-index
collector/redhat-bugzilla
source/Red Hat
agent/software-canonical-lookup
collector/redhat-cve
collector/security-tracker-debian
package-manager/maven
vendor/apache
canonical/apache santuario xml security for java
version/apache santuario xml security for java/2.2.0
canonical/apache cxf
version/apache cxf/3.4.4
canonical/apache tomee
vendor/debian
canonical/debian debian linux
version/debian debian linux/9.0
version/debian debian linux/10.0
version/debian debian linux/11.0
vendor/oracle
canonical/oracle agile plm
version/oracle agile plm/9.3.6
canonical/oracle commerce guided search
version/oracle commerce guided search/11.3.2
canonical/oracle commerce platform
version/oracle commerce platform/11.3.2
canonical/oracle communications diameter intelligence hub
version/oracle communications diameter intelligence hub/8.0.0
version/oracle communications diameter intelligence hub/8.1.0
version/oracle communications diameter intelligence hub/8.2.0
version/oracle communications diameter intelligence hub/8.2.3
canonical/oracle communications messaging server
version/oracle communications messaging server/8.1
canonical/oracle flexcube private banking
version/oracle flexcube private banking/12.1.0
canonical/oracle outside in technology
version/oracle outside in technology/8.5.5
canonical/oracle peoplesoft enterprise peopletools
version/oracle peoplesoft enterprise peopletools/8.58
version/oracle peoplesoft enterprise peopletools/8.59
canonical/oracle retail bulk data integration
version/oracle retail bulk data integration/16.0.3
canonical/oracle retail financial integration
version/oracle retail financial integration/14.1.3.2
version/oracle retail financial integration/15.0.3.1
version/oracle retail financial integration/16.0.3
version/oracle retail financial integration/19.0.1
canonical/oracle retail integration bus
version/oracle retail integration bus/14.1.3.2
version/oracle retail integration bus/15.0.3.1
version/oracle retail integration bus/16.0.3
version/oracle retail integration bus/19.0.1
canonical/oracle retail merchandising system
version/oracle retail merchandising system/16.0.3
version/oracle retail merchandising system/19.0.1
canonical/oracle retail service backbone
version/oracle retail service backbone/14.1.3.2
version/oracle retail service backbone/15.0.3.1
version/oracle retail service backbone/16.0.3
version/oracle retail service backbone/19.0.1
canonical/oracle weblogic server
version/oracle weblogic server/12.2.1.4.0
version/oracle weblogic server/14.1.1.0.0
package-manager/redhat
package-manager/debian

CVE-2021-40690: Infoleak

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

Company

Resources

Contact