ID CVE-2013-4517
Summary Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:santuario_xml_security_for_java:1.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:santuario_xml_security_for_java:1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.5:*:*:*:*:*:*:*
    cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.5:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.8:*:*:*:*:*:*:*
    cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.8:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.6:*:*:*:*:*:*:*
    cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.7:*:*:*:*:*:*:*
    cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.7:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:santuario_xml_security_for_java:1.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:santuario_xml_security_for_java:1.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:santuario_xml_security_for_java:*:*:*:*:*:*:*:*
    cpe:2.3:a:apache:santuario_xml_security_for_java:*:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:santuario_xml_security_for_java:1.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:santuario_xml_security_for_java:1.2.0:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 18-04-2023 - 19:07)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:N/I:N/A:P
redhat via4
advisories
  • rhsa
    id RHSA-2014:0170
  • rhsa
    id RHSA-2014:0171
  • rhsa
    id RHSA-2014:0172
  • rhsa
    id RHSA-2014:0195
  • rhsa
    id RHSA-2014:1725
  • rhsa
    id RHSA-2014:1726
  • rhsa
    id RHSA-2014:1727
  • rhsa
    id RHSA-2014:1728
  • rhsa
    id RHSA-2015:0675
  • rhsa
    id RHSA-2015:0850
  • rhsa
    id RHSA-2015:0851
rpms
  • hornetq-0:2.3.14-1.Final_redhat_1.1.ep6.el5
  • jacorb-jboss-0:2.3.2-13.redhat_6.1.ep6.el5
  • jboss-as-appclient-0:7.3.1-3.Final_redhat_3.1.ep6.el5
  • jboss-as-cli-0:7.3.1-4.Final_redhat_3.1.ep6.el5
  • jboss-as-client-all-0:7.3.1-4.Final_redhat_3.1.ep6.el5
  • jboss-as-clustering-0:7.3.1-3.Final_redhat_3.1.ep6.el5
  • jboss-as-cmp-0:7.3.1-2.Final_redhat_3.1.ep6.el5
  • jboss-as-configadmin-0:7.3.1-2.Final_redhat_3.1.ep6.el5
  • jboss-as-connector-0:7.3.1-4.Final_redhat_3.1.ep6.el5
  • jboss-as-controller-0:7.3.1-3.Final_redhat_3.1.ep6.el5
  • jboss-as-controller-client-0:7.3.1-2.Final_redhat_3.1.ep6.el5
  • jboss-as-core-security-0:7.3.1-2.Final_redhat_3.1.ep6.el5
  • jboss-as-deployment-repository-0:7.3.1-2.Final_redhat_3.1.ep6.el5
  • jboss-as-deployment-scanner-0:7.3.1-2.Final_redhat_3.1.ep6.el5
  • jboss-as-domain-http-0:7.3.1-3.Final_redhat_3.1.ep6.el5
  • jboss-as-domain-management-0:7.3.1-3.Final_redhat_3.1.ep6.el5
  • jboss-as-ee-0:7.3.1-3.Final_redhat_3.1.ep6.el5
  • jboss-as-ee-deployment-0:7.3.1-2.Final_redhat_3.1.ep6.el5
  • jboss-as-ejb3-0:7.3.1-3.Final_redhat_3.1.ep6.el5
  • jboss-as-embedded-0:7.3.1-2.Final_redhat_3.1.ep6.el5
  • jboss-as-host-controller-0:7.3.1-3.Final_redhat_3.1.ep6.el5
  • jboss-as-jacorb-0:7.3.1-3.Final_redhat_3.1.ep6.el5
  • jboss-as-jaxr-0:7.3.1-2.Final_redhat_3.1.ep6.el5
  • jboss-as-jaxrs-0:7.3.1-2.Final_redhat_3.1.ep6.el5
  • jboss-as-jdr-0:7.3.1-2.Final_redhat_3.1.ep6.el5
  • jboss-as-jmx-0:7.3.1-3.Final_redhat_3.1.ep6.el5
  • jboss-as-jpa-0:7.3.1-3.Final_redhat_3.1.ep6.el5
  • jboss-as-jsf-0:7.3.1-2.Final_redhat_3.1.ep6.el5
  • jboss-as-jsr77-0:7.3.1-2.Final_redhat_3.1.ep6.el5
  • jboss-as-logging-0:7.3.1-3.Final_redhat_3.1.ep6.el5
  • jboss-as-mail-0:7.3.1-2.Final_redhat_3.1.ep6.el5
  • jboss-as-management-client-content-0:7.3.1-2.Final_redhat_3.1.ep6.el5
  • jboss-as-messaging-0:7.3.1-3.Final_redhat_3.1.ep6.el5
  • jboss-as-modcluster-0:7.3.1-2.Final_redhat_3.1.ep6.el5
  • jboss-as-naming-0:7.3.1-3.Final_redhat_3.1.ep6.el5
  • jboss-as-network-0:7.3.1-2.Final_redhat_3.1.ep6.el5
  • jboss-as-osgi-0:7.3.1-4.Final_redhat_3.1.ep6.el5
  • jboss-as-osgi-configadmin-0:7.3.1-4.Final_redhat_3.1.ep6.el5
  • jboss-as-osgi-service-0:7.3.1-2.Final_redhat_3.1.ep6.el5
  • jboss-as-platform-mbean-0:7.3.1-2.Final_redhat_3.1.ep6.el5
  • jboss-as-pojo-0:7.3.1-2.Final_redhat_3.1.ep6.el5
  • jboss-as-process-controller-0:7.3.1-3.Final_redhat_3.1.ep6.el5
  • jboss-as-protocol-0:7.3.1-2.Final_redhat_3.1.ep6.el5
  • jboss-as-remoting-0:7.3.1-3.Final_redhat_3.1.ep6.el5
  • jboss-as-sar-0:7.3.1-2.Final_redhat_3.1.ep6.el5
  • jboss-as-security-0:7.3.1-3.Final_redhat_3.1.ep6.el5
  • jboss-as-server-0:7.3.1-3.Final_redhat_3.1.ep6.el5
  • jboss-as-system-jmx-0:7.3.1-2.Final_redhat_3.1.ep6.el5
  • jboss-as-threads-0:7.3.1-2.Final_redhat_3.1.ep6.el5
  • jboss-as-transactions-0:7.3.1-2.Final_redhat_3.1.ep6.el5
  • jboss-as-version-0:7.3.1-4.Final_redhat_3.1.ep6.el5
  • jboss-as-web-0:7.3.1-3.Final_redhat_3.1.ep6.el5
  • jboss-as-webservices-0:7.3.1-3.Final_redhat_3.1.ep6.el5
  • jboss-as-weld-0:7.3.1-4.Final_redhat_3.1.ep6.el5
  • jboss-as-xts-0:7.3.1-2.Final_redhat_3.1.ep6.el5
  • jboss-logmanager-0:1.5.2-1.Final_redhat_1.1.ep6.el5
  • jboss-marshalling-0:1.4.3-1.Final_redhat_1.1.ep6.el5
  • jboss-xnio-base-0:3.0.9-1.GA_redhat_1.1.ep6.el5
  • jbossas-core-0:7.3.1-5.Final_redhat_3.1.ep6.el5
  • jbossas-javadocs-0:7.3.1-3.Final_redhat_3.ep6.el5
  • jbossas-modules-eap-0:7.3.1-6.Final_redhat_3.1.ep6.el5
  • jbossweb-0:7.3.0-1.Final_redhat_1.1.ep6.el5
  • netty-0:3.6.7-1.Final_redhat_1.1.ep6.el5
  • picketbox-0:4.0.19-2.SP3_redhat_1.1.ep6.el5
  • weld-core-0:1.1.17-1.Final_redhat_1.1.ep6.el5
  • xml-security-0:1.5.6-1.redhat_1.1.ep6.el5
  • xmltooling-0:1.3.4-5.redhat_3.1.ep6.el5
  • hornetq-0:2.3.14-1.Final_redhat_1.1.ep6.el6
  • jacorb-jboss-0:2.3.2-13.redhat_6.1.ep6.el6
  • jboss-as-appclient-0:7.3.1-3.Final_redhat_3.1.ep6.el6
  • jboss-as-cli-0:7.3.1-4.Final_redhat_3.1.ep6.el6
  • jboss-as-client-all-0:7.3.1-4.Final_redhat_3.1.ep6.el6
  • jboss-as-clustering-0:7.3.1-3.Final_redhat_3.1.ep6.el6
  • jboss-as-cmp-0:7.3.1-2.Final_redhat_3.1.ep6.el6
  • jboss-as-configadmin-0:7.3.1-2.Final_redhat_3.1.ep6.el6
  • jboss-as-connector-0:7.3.1-4.Final_redhat_3.1.ep6.el6
  • jboss-as-controller-0:7.3.1-3.Final_redhat_3.1.ep6.el6
  • jboss-as-controller-client-0:7.3.1-2.Final_redhat_3.1.ep6.el6
  • jboss-as-core-security-0:7.3.1-2.Final_redhat_3.1.ep6.el6
  • jboss-as-deployment-repository-0:7.3.1-2.Final_redhat_3.1.ep6.el6
  • jboss-as-deployment-scanner-0:7.3.1-2.Final_redhat_3.1.ep6.el6
  • jboss-as-domain-http-0:7.3.1-3.Final_redhat_3.1.ep6.el6
  • jboss-as-domain-management-0:7.3.1-3.Final_redhat_3.1.ep6.el6
  • jboss-as-ee-0:7.3.1-3.Final_redhat_3.1.ep6.el6
  • jboss-as-ee-deployment-0:7.3.1-2.Final_redhat_3.1.ep6.el6
  • jboss-as-ejb3-0:7.3.1-3.Final_redhat_3.1.ep6.el6
  • jboss-as-embedded-0:7.3.1-2.Final_redhat_3.1.ep6.el6
  • jboss-as-host-controller-0:7.3.1-3.Final_redhat_3.1.ep6.el6
  • jboss-as-jacorb-0:7.3.1-3.Final_redhat_3.1.ep6.el6
  • jboss-as-jaxr-0:7.3.1-2.Final_redhat_3.1.ep6.el6
  • jboss-as-jaxrs-0:7.3.1-2.Final_redhat_3.1.ep6.el6
  • jboss-as-jdr-0:7.3.1-2.Final_redhat_3.1.ep6.el6
  • jboss-as-jmx-0:7.3.1-3.Final_redhat_3.1.ep6.el6
  • jboss-as-jpa-0:7.3.1-3.Final_redhat_3.1.ep6.el6
  • jboss-as-jsf-0:7.3.1-2.Final_redhat_3.1.ep6.el6
  • jboss-as-jsr77-0:7.3.1-2.Final_redhat_3.1.ep6.el6
  • jboss-as-logging-0:7.3.1-3.Final_redhat_3.1.ep6.el6
  • jboss-as-mail-0:7.3.1-2.Final_redhat_3.1.ep6.el6
  • jboss-as-management-client-content-0:7.3.1-2.Final_redhat_3.1.ep6.el6
  • jboss-as-messaging-0:7.3.1-3.Final_redhat_3.1.ep6.el6
  • jboss-as-modcluster-0:7.3.1-2.Final_redhat_3.1.ep6.el6
  • jboss-as-naming-0:7.3.1-3.Final_redhat_3.1.ep6.el6
  • jboss-as-network-0:7.3.1-2.Final_redhat_3.1.ep6.el6
  • jboss-as-osgi-0:7.3.1-4.Final_redhat_3.1.ep6.el6
  • jboss-as-osgi-configadmin-0:7.3.1-4.Final_redhat_3.1.ep6.el6
  • jboss-as-osgi-service-0:7.3.1-2.Final_redhat_3.1.ep6.el6
  • jboss-as-platform-mbean-0:7.3.1-2.Final_redhat_3.1.ep6.el6
  • jboss-as-pojo-0:7.3.1-2.Final_redhat_3.1.ep6.el6
  • jboss-as-process-controller-0:7.3.1-3.Final_redhat_3.1.ep6.el6
  • jboss-as-protocol-0:7.3.1-2.Final_redhat_3.1.ep6.el6
  • jboss-as-remoting-0:7.3.1-3.Final_redhat_3.1.ep6.el6
  • jboss-as-sar-0:7.3.1-2.Final_redhat_3.1.ep6.el6
  • jboss-as-security-0:7.3.1-3.Final_redhat_3.1.ep6.el6
  • jboss-as-server-0:7.3.1-3.Final_redhat_3.1.ep6.el6
  • jboss-as-system-jmx-0:7.3.1-2.Final_redhat_3.1.ep6.el6
  • jboss-as-threads-0:7.3.1-2.Final_redhat_3.1.ep6.el6
  • jboss-as-transactions-0:7.3.1-2.Final_redhat_3.1.ep6.el6
  • jboss-as-version-0:7.3.1-4.Final_redhat_3.1.ep6.el6
  • jboss-as-web-0:7.3.1-3.Final_redhat_3.1.ep6.el6
  • jboss-as-webservices-0:7.3.1-3.Final_redhat_3.1.ep6.el6
  • jboss-as-weld-0:7.3.1-4.Final_redhat_3.1.ep6.el6
  • jboss-as-xts-0:7.3.1-2.Final_redhat_3.1.ep6.el6
  • jboss-logmanager-0:1.5.2-1.Final_redhat_1.1.ep6.el6
  • jboss-marshalling-0:1.4.3-1.Final_redhat_1.1.ep6.el6
  • jboss-xnio-base-0:3.0.9-1.GA_redhat_1.1.ep6.el6
  • jbossas-core-0:7.3.1-5.Final_redhat_3.1.ep6.el6
  • jbossas-javadocs-0:7.3.1-3.Final_redhat_3.ep6.el6
  • jbossas-modules-eap-0:7.3.1-6.Final_redhat_3.1.ep6.el6
  • jbossweb-0:7.3.0-1.Final_redhat_1.1.ep6.el6
  • netty-0:3.6.7-1.Final_redhat_1.1.ep6.el6
  • picketbox-0:4.0.19-2.SP3_redhat_1.1.ep6.el6
  • weld-core-0:1.1.17-1.Final_redhat_1.1.ep6.el6
  • xml-security-0:1.5.6-1.redhat_1.1.ep6.el6
  • xmltooling-0:1.3.4-5.redhat_3.1.ep6.el6
  • xml-security-0:1.5.6-3.el6
  • xml-security-0:1.5.6-3.ep5.el4
  • xml-security-0:1.5.6-3.ep5.el5
  • xml-security-0:1.5.6-3.el6
  • xml-security-0:1.5.6-3.ep5.el4
  • xml-security-0:1.5.6-3.ep5.el5
refmap via4
bid 64437
confirm
fulldisc 20131218 Apache Santuario security advisory CVE-2013-4517 released
mlist [santuario-commits] 20190823 svn commit: r1049214 - in /websites/production/santuario/content: cache/main.pageCache download.html index.html javaindex.html javareleasenotes.html secadv.data/CVE-2019-12400.asc secadv.html
osvdb 101169
sectrack 1029524
secunia 55639
xf santuario-xmlsecurity-cve20134517-dos(89891)
Last major update 18-04-2023 - 19:07
Published 11-01-2014 - 01:55
Last modified 18-04-2023 - 19:07
Back to Top