CVE-2024-34580

Source
https://cve.org/CVERecord?id=CVE-2024-34580
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-34580.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-34580
Downstream
Withdrawn
2024-08-08T17:18:46Z
Published
2024-06-26T05:15:51Z
Modified
2024-09-18T03:26:17.298447Z
Summary
[none]
Details

Apache XML Security for C++ through 2.0.4 implements the XML Signature Syntax and Processing (XMLDsig) specification without protection against an SSRF payload in a KeyInfo element. NOTE: the project disputes this CVE Record on the grounds that any vulnerabilities are the result of a failure to configure XML Security for C++ securely. Even when avoiding this particular issue, any use of this library would need considerable additional code and a deep understanding of the standards and protocols involved to arrive at a secure implementation for any particular use case. We recommend against continued direct use of this library.

References

Affected packages

Debian:11 / xml-security-c

Package

Name
xml-security-c
Purl
pkg:deb/debian/xml-security-c?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.0.2-4
2.0.3-1
2.0.4-1
2.0.4-2
2.0.4-2+hurd.1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-34580.json"

Debian:12 / xml-security-c

Package

Name
xml-security-c
Purl
pkg:deb/debian/xml-security-c?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.0.4-2
2.0.4-2+hurd.1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-34580.json"

Debian:13 / xml-security-c

Package

Name
xml-security-c
Purl
pkg:deb/debian/xml-security-c?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.0.4-2
2.0.4-2+hurd.1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-34580.json"