CVE-2021-40690

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-40690
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-40690.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-40690
Aliases
Downstream
Related
Published
2021-09-19T18:15:07.223Z
Modified
2026-02-08T04:09:15.848914Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

References

Affected packages

Git / github.com/apache/cxf

Affected ranges

Type
GIT
Repo
https://github.com/apache/cxf
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
3e2217ba0f83edeea22854ba8a90d01a56aeec2a
Fixed
c534c759209cd707a28e92075c937cabdc40baf4

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-40690.json"

Git / github.com/apache/santuario-xml-security-java

Affected ranges

Type
GIT
Repo
https://github.com/apache/santuario-xml-security-java
Events
Fixed
b9cc7320000478690287c5e154b728af34934b99
Introduced
84721fe33f7d998c85eb45f59e75528b0fb524f5
Fixed
d10ce1ab06cb428d5bbff3d42b1d9bcb8580b6e2

Affected versions

xmlsec-2.*
xmlsec-2.2.0
xmlsec-2.2.1
xmlsec-2.2.2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-40690.json"