QwikSec

Security Database

CVE

CWE

Training

CVE-2021-40690

Published: Sep 19, 2021

Modified: Aug 4, 2024

PUBLISHED

Description

All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

Vendor	Product	Versions
Apache Software Foundation	Apache Santuario	affected `XML Security for Java - < 2.2.3,2.1.7`

Weaknesses (CWE)

References

https://lists.apache.org/thread.html/r8848751b6a5dd78cc9e99d627e74fecfaffdfa1bb615dce827aad633%40%3Cdev.santuario.apache.org%3E

[tomee-commits] 20210922 [tomee] 02/02: Update xmlsec to 2.2.3 to mitigate CVE-2021-40690

mailing-list

[tomee-commits] 20210923 [jira] [Resolved] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability

mailing-list

[tomee-commits] 20210923 [jira] [Created] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability

mailing-list

[tomee-commits] 20210923 [jira] [Assigned] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability

mailing-list

[tomee-commits] 20210923 [jira] [Updated] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability

mailing-list

[poi-user] 20210923 Re: CVE-2021-40690 on xmlsec jar

mailing-list

[debian-lts-announce] 20210927 [SECURITY] [DLA 2767-1] libxml-security-java security update

mailing-list

[cxf-issues] 20211027 [jira] [Created] (CXF-8613) High Security issues reported with Apache Santuario library bundled in CXF 3.4.4

mailing-list

[tomee-commits] 20211028 [jira] [Updated] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability

mailing-list

vendor-advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

https://www.oracle.com/security-alerts/cpujul2022.html

https://security.netapp.com/advisory/ntap-20230818-0002/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.