Vulnerability Details : CVE-2013-2172
jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."
Products affected by CVE-2013-2172
- cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-2172
0.49%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 76 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-2172
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2013-2172
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-2172
-
http://rhn.redhat.com/errata/RHSA-2013-1220.html
Red Hat Customer Portal
-
http://rhn.redhat.com/errata/RHSA-2013-1375.html
RHSA-2013:1375 - Security Advisory - Red Hat Customer Portal
-
http://rhn.redhat.com/errata/RHSA-2013-1217.html
RHSA-2013:1217 - Security Advisory - Red Hat Customer Portal
-
http://rhn.redhat.com/errata/RHSA-2013-1208.html
RHSA-2013:1208 - Security Advisory - Red Hat Customer Portal
-
http://www.vmware.com/security/advisories/VMSA-2014-0012.html
VMSA-2014-0012.1
-
http://rhn.redhat.com/errata/RHSA-2013-1218.html
RHSA-2013:1218 - Security Advisory - Red Hat Customer Portal
-
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
Oracle Critical Patch Update - July 2014
-
http://rhn.redhat.com/errata/RHSA-2013-1437.html
Red Hat Customer Portal
-
http://rhn.redhat.com/errata/RHSA-2014-0212.html
RHSA-2014:0212 - Security Advisory - Red Hat Customer Portal
-
http://rhn.redhat.com/errata/RHSA-2013-1219.html
RHSA-2013:1219 - Security Advisory - Red Hat Customer Portal
-
http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876&r2=1493772&pathrev=1493772&diff_format=h
[Apache-SVN] Diff of /santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.javaPatch
-
https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E
svn commit: r1049214 - in /websites/production/santuario/content: cache/main.pageCache download.html index.html javaindex.html javareleasenotes.html secadv.data/CVE-2019-12400.asc secadv.html-Apache M
-
http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc
Vendor Advisory
-
http://seclists.org/fulldisclosure/2014/Dec/23
Full Disclosure: NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
-
https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E
svn commit: r1076843 - in /websites/production/santuario/content: cache/main.pageCache index.html javaindex.html secadv.data/CVE-2021-40690.txt.asc secadv.html-Apache Mail Archives
-
http://rhn.redhat.com/errata/RHSA-2013-1209.html
RHSA-2013:1209 - Security Advisory - Red Hat Customer Portal
-
http://www.securityfocus.com/bid/60846
Apache Santuario XML Security for JAVA XML Signature CVE-2013-2172 Security Bypass Vulnerability
-
http://rhn.redhat.com/errata/RHSA-2013-1207.html
RHSA-2013:1207 - Security Advisory - Red Hat Customer Portal
-
http://www.securityfocus.com/archive/1/534161/100/0/threaded
SecurityFocus
-
http://rhn.redhat.com/errata/RHSA-2013-1853.html
RHSA-2013:1853 - Security Advisory - Red Hat Customer Portal
-
http://www.debian.org/security/2014/dsa-3065
Debian -- Security Information -- DSA-3065-1 libxml-security-java
-
http://www.ubuntu.com/usn/USN-2028-1
USN-2028-1: Apache XML Security for Java vulnerability | Ubuntu security notices
Jump to