CVE-2021-40690

Exposure of Sensitive Information to an Unauthorized Actor in maven/org.apache.tomee/tomee-webapp

Identifier

CVE-2021-40690

Package Slug

maven/org.apache.tomee/tomee-webapp

Vulnerability

Exposure of Sensitive Information to an Unauthorized Actor

Description

All versions of Apache Santuario - XML Security for Java are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

Affected Versions

All versions before 8.0.8

Solution

Upgrade to version 8.0.8 or above.

Last Modified

2021-10-10

source