CVE-2021-40690
Last modified
CVE-2021-40690 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.. EPSS estimates a 10.45% chance of exploitation in the next 30 days.
Description
All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Santuario Xml Security For Java | < 2.1.7 |
| Apache | Santuario Xml Security For Java | >= 2.2.0, < 2.2.3 |
| Apache | Cxf | 3.4.4 |
| Apache | Tomee | < 8.0.8 |
| Debian | Debian Linux | 9.0 |
| Debian | Debian Linux | 10.0 |
| Debian | Debian Linux | 11.0 |
| Oracle | Agile Plm | 9.3.6 |
| Oracle | Commerce Guided Search | 11.3.2 |
| Oracle | Commerce Platform | 11.3.2 |
| Oracle | Communications Diameter Intelligence Hub | >= 8.0.0, <= 8.1.0 |
| Oracle | Communications Diameter Intelligence Hub | >= 8.2.0, <= 8.2.3 |
| Oracle | Communications Messaging Server | 8.1 |
| Oracle | Flexcube Private Banking | 12.1.0 |
| Oracle | Outside In Technology | 8.5.5 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.58 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.59 |
| Oracle | Retail Bulk Data Integration | 16.0.3 |
| Oracle | Retail Financial Integration | 14.1.3.2 |
| Oracle | Retail Financial Integration | 15.0.3.1 |
| Oracle | Retail Financial Integration | 16.0.3 |
| Oracle | Retail Financial Integration | 19.0.1 |
| Oracle | Retail Integration Bus | 14.1.3.2 |
| Oracle | Retail Integration Bus | 15.0.3.1 |
| Oracle | Retail Integration Bus | 16.0.3 |
| Oracle | Retail Integration Bus | 19.0.1 |
| Oracle | Retail Merchandising System | 16.0.3 |
| Oracle | Retail Merchandising System | 19.0.1 |
| Oracle | Retail Service Backbone | 14.1.3.2 |
| Oracle | Retail Service Backbone | 15.0.3.1 |
| Oracle | Retail Service Backbone | 16.0.3 |
| Oracle | Retail Service Backbone | 19.0.1 |
| Oracle | Weblogic Server | 12.2.1.4.0 |
| Oracle | Weblogic Server | 14.1.1.0.0 |
References
- https://lists.apache.org/thread.html/r8848751b6a5dd78cc9e99d627e74fecfaffdfa1bb615dce827aad633%40%3Cdev.santuario.apache.org%3EIssue Tracking, Mailing List, Patch, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/09/msg00015.htmlMailing List, Third Party Advisory
- https://www.debian.org/security/2021/dsa-5010Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- https://lists.apache.org/thread.html/r8848751b6a5dd78cc9e99d627e74fecfaffdfa1bb615dce827aad633%40%3Cdev.santuario.apache.org%3EIssue Tracking, Mailing List, Patch, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/09/msg00015.htmlMailing List, Third Party Advisory
- https://www.debian.org/security/2021/dsa-5010Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-40690?
How severe is CVE-2021-40690?
How do I fix CVE-2021-40690?
Are you affected by CVE-2021-40690?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST