Bug 1193879 - (CVE-2021-40690) VUL-1: CVE-2021-40690: xml-security: XPath Transform abuse allows for information disclosure
(CVE-2021-40690)
VUL-1: CVE-2021-40690: xml-security: XPath Transform abuse allows for informa...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.3
Other Other
: P4 - Low : Normal (vote)
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/310339/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-12-17 16:26 UTC by Gabriele Sonnu
Modified: 2022-04-11 07:05 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gabriele Sonnu 2021-12-17 16:26:02 UTC
All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and
2.1.7 are vulnerable to an issue where the "secureValidation" property is not
passed correctly when creating a KeyInfo from a KeyInfoReference element. This
allows an attacker to abuse an XPath Transform to extract any local .xml files
in a RetrievalMethod element.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2011190
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-40690
http://seclists.org/oss-sec/2021/q3/177
https://access.redhat.com/errata/RHSA-2021:5170.html
http://www.debian.org/security/-1/dsa-5010
https://access.redhat.com/errata/RHSA-2021:5150.html
https://access.redhat.com/errata/RHSA-2021:5151.html
https://access.redhat.com/errata/RHSA-2021:5149.html
https://access.redhat.com/errata/RHSA-2021:5154.html
http://www.cvedetails.com/cve/CVE-2021-40690/
https://exchange.xforce.ibmcloud.com/vulnerabilities/209586
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40690
https://lists.apache.org/thread.html/raf352f95c19c0c4051af3180752cb69acbea88d0d066ab176c6170e8@%3Cuser.poi.apache.org%3E
https://lists.apache.org/thread.html/r8848751b6a5dd78cc9e99d627e74fecfaffdfa1bb615dce827aad633%40%3Cdev.santuario.apache.org%3E
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994569
https://seclists.org/oss-sec/2021/q3/177
https://lists.apache.org/thread.html/rbdac116aef912b563da54f4c152222c0754e32fb2f785519ac5e059f@%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/r9c100d53c84d54cf71975e3f0cfcc2856a8846554a04c99390156ce4@%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/re294cfc61f509512874ea514d8d64fd276253d54ac378ffa7a4880c8@%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/r3b3f5ba9b0de8c9c125077b71af06026d344a709a8ba67db81ee9faa@%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/r8a5c0ce9014bd07303aec1e5eed55951704878016465d3dae00e0c28@%3Ccommits.tomee.apache.org%3E
Comment 1 Gabriele Sonnu 2021-12-17 16:26:44 UTC
Please update to a non vulnerable version (>= 2.1.7).
Comment 2 OBSbugzilla Bot 2021-12-17 19:30:03 UTC
This is an autogenerated message for OBS integration:
This bug (1193879) was mentioned in
https://build.opensuse.org/request/show/941287 Factory / xml-security
Comment 3 Gianluca Gabrielli 2022-04-11 07:05:05 UTC
done