WCM RnD created CXF-8613:
----------------------------
Summary: High Security issues reported with Apache Santuario
library bundled in CXF 3.4.4
Key: CXF-8613
URL: https://issues.apache.org/jira/browse/CXF-8613
Project: CXF
Issue Type: Bug
Affects Versions: 3.4.4
Reporter: WCM RnD
High Security Vulnerability CVE-2021-40690 has been reported with the Apache
Santuario 2.2.2 library being bundled within CXF 3.4.4.
[https://nvd.nist.gov/vuln/detail/CVE-2021-40690]
h2. CVE-2021-40690
*Affected Component(s):* Apache Santuario (Java), OpenEJB
*Vulnerability Published:* 2021-09-19 14:15 EDT
*Vulnerability Updated:* 2021-10-01 12:08 EDT
*CVSS Score:* {color:#FF0000}7.5{color} (overall), {color:#FF0000}7.5{color}
(base)
*Summary*: All versions of Apache Santuario - XML Security for Java prior to
2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation"
property is not passed correctly when creating a KeyInfo from a
KeyInfoReference element. This allows an attacker to abuse an XPath Transform
to extract any local .xml files in a RetrievalMethod element.
*Fixed in Apache Santuario version 2.2.3.*
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
