CVE-2021-40690: Exposure of Sensitive Information to an Unauthorized Actor

September 19, 2021 (updated November 7, 2023)

All versions of Apache Santuario - XML Security for Java is vulnerable to an issue where the “secureValidation” property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

References

nvd.nist.gov/vuln/detail/CVE-2021-40690

Detect and mitigate CVE-2021-40690 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →