CVE-2013-2172 Vulnerability in maven package org.apache.santuario:xmlsec

Description

jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."

Remediation

References

http://rhn.redhat.com/errata/RHSA-2013-1207.html

http://rhn.redhat.com/errata/RHSA-2013-1208.html

http://rhn.redhat.com/errata/RHSA-2013-1209.html

http://rhn.redhat.com/errata/RHSA-2013-1217.html

http://rhn.redhat.com/errata/RHSA-2013-1218.html

http://rhn.redhat.com/errata/RHSA-2013-1219.html

http://rhn.redhat.com/errata/RHSA-2013-1220.html

http://rhn.redhat.com/errata/RHSA-2013-1375.html

http://rhn.redhat.com/errata/RHSA-2013-1437.html

http://rhn.redhat.com/errata/RHSA-2013-1853.html

http://rhn.redhat.com/errata/RHSA-2014-0212.html

http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc

http://seclists.org/fulldisclosure/2014/Dec/23

http://secunia.com/advisories/54019

http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876&r2=1493772&pathrev=1493772&diff_format=h

http://www.debian.org/security/2014/dsa-3065

http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

http://www.osvdb.org/94651

http://www.securityfocus.com/archive/1/534161/100/0/threaded

http://www.securityfocus.com/bid/60846

http://www.ubuntu.com/usn/USN-2028-1

http://www.vmware.com/security/advisories/VMSA-2014-0012.html

https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E

https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E