CVE-2021-40690

Exposure of Sensitive Information to an Unauthorized Actor in maven/org.apache.santuario/xmlsec

Identifier

CVE-2021-40690

Package Slug

maven/org.apache.santuario/xmlsec

Vulnerability

Exposure of Sensitive Information to an Unauthorized Actor

Description

All versions of Apache Santuario - XML Security for Java are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

Affected Versions

All versions before 2.1.7, all versions starting from 2.2.0 before 2.2.3

Solution

Upgrade to versions 2.1.7, 2.2.3 or above.

Last Modified

2021-10-10

source