GHSA-8gwc-x7mg-7p7p

Source

https://github.com/advisories/GHSA-8gwc-x7mg-7p7p

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8gwc-x7mg-7p7p/GHSA-8gwc-x7mg-7p7p.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8gwc-x7mg-7p7p

Aliases

CVE-2013-5823

Published

2022-05-14T00:02:32Z

Modified

2024-11-30T05:51:57.209571Z

Summary

Apache XML Security For Java vulnerable to Infinite Loop

Details

Affected versions of xmlsec are subject to a denial of service vulnerability. Should a user check the signature of a message larger than 512 MB, the method expandSize(int newPos) of class org.apache.xml.security.utils.UnsyncByteArrayOutputStream goes in an endless loop. A remote attacker could use this flaw to supply crafted XML that would lead to a denial of service.

Database specific

{
    "nvd_published_at": "2013-10-16T17:55:00Z",
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-08T14:57:18Z"
}

References

Affected packages

Maven / org.apache.santuario:xmlsec

Package

Name: org.apache.santuario:xmlsec; View open source insights on deps.dev
Purl: pkg:maven/org.apache.santuario/xmlsec

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.4.0

Fixed

1.4.8

Affected versions

1.*

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.4.7

Maven / org.apache.santuario:xmlsec

Package

Name: org.apache.santuario:xmlsec; View open source insights on deps.dev
Purl: pkg:maven/org.apache.santuario/xmlsec

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.5.0

Fixed

1.5.3

Affected versions

1.*

1.5.0

1.5.1

1.5.2