ID CVE-2013-2172
Summary jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."
References
Vulnerable Configurations
  • cpe:2.3:a:apache:xml_security_for_java:1.4.7:*:*:*:*:*:*:*
    cpe:2.3:a:apache:xml_security_for_java:1.4.7:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:xml_security_for_java:1.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:xml_security_for_java:1.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:xml_security_for_java:1.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:xml_security_for_java:1.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:xml_security_for_java:1.5.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:xml_security_for_java:1.5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:xml_security_for_java:1.5.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:xml_security_for_java:1.5.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:xml_security_for_java:1.5.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:xml_security_for_java:1.5.4:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 09-10-2018 - 19:34)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:N/I:P/A:N
redhat via4
advisories
  • rhsa
    id RHSA-2013:1207
  • rhsa
    id RHSA-2013:1208
  • rhsa
    id RHSA-2013:1209
  • rhsa
    id RHSA-2013:1217
  • rhsa
    id RHSA-2013:1218
  • rhsa
    id RHSA-2013:1219
  • rhsa
    id RHSA-2013:1220
  • rhsa
    id RHSA-2013:1375
  • rhsa
    id RHSA-2013:1437
  • rhsa
    id RHSA-2013:1853
  • rhsa
    id RHSA-2014:0212
refmap via4
bid 60846
bugtraq 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
confirm
debian DSA-3065
fulldisc 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
misc http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876&r2=1493772&pathrev=1493772&diff_format=h
osvdb 94651
secunia 54019
ubuntu USN-2028-1
Last major update 09-10-2018 - 19:34
Published 20-08-2013 - 22:55
Back to Top