CVE-2013-4517 - Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attacke

CVE-2013-4517

Summary

Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures.

References

Vulnerable Configurations

cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.2.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.2.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.2.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:santuario_xml_security_for_java:1.2.0:*:*:*:*:*:*:*

CVSS

Base:	4.3 (as of 18-04-2023 - 19:07)
Impact:
Exploitability:

CWE

CWE-399

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
NONE	NONE	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:N/I:N/A:P

redhat via4

advisories

rhsa
id RHSA-2014:0170
rhsa
id RHSA-2014:0171
rhsa
id RHSA-2014:0172
rhsa
id RHSA-2014:0195
rhsa
id RHSA-2014:1725
rhsa
id RHSA-2014:1726
rhsa
id RHSA-2014:1727
rhsa
id RHSA-2014:1728
rhsa
id RHSA-2015:0675
rhsa
id RHSA-2015:0850
rhsa
id RHSA-2015:0851

rpms

hornetq-0:2.3.14-1.Final_redhat_1.1.ep6.el5
jacorb-jboss-0:2.3.2-13.redhat_6.1.ep6.el5
jboss-as-appclient-0:7.3.1-3.Final_redhat_3.1.ep6.el5
jboss-as-cli-0:7.3.1-4.Final_redhat_3.1.ep6.el5
jboss-as-client-all-0:7.3.1-4.Final_redhat_3.1.ep6.el5
jboss-as-clustering-0:7.3.1-3.Final_redhat_3.1.ep6.el5
jboss-as-cmp-0:7.3.1-2.Final_redhat_3.1.ep6.el5
jboss-as-configadmin-0:7.3.1-2.Final_redhat_3.1.ep6.el5
jboss-as-connector-0:7.3.1-4.Final_redhat_3.1.ep6.el5
jboss-as-controller-0:7.3.1-3.Final_redhat_3.1.ep6.el5
jboss-as-controller-client-0:7.3.1-2.Final_redhat_3.1.ep6.el5
jboss-as-core-security-0:7.3.1-2.Final_redhat_3.1.ep6.el5
jboss-as-deployment-repository-0:7.3.1-2.Final_redhat_3.1.ep6.el5
jboss-as-deployment-scanner-0:7.3.1-2.Final_redhat_3.1.ep6.el5
jboss-as-domain-http-0:7.3.1-3.Final_redhat_3.1.ep6.el5
jboss-as-domain-management-0:7.3.1-3.Final_redhat_3.1.ep6.el5
jboss-as-ee-0:7.3.1-3.Final_redhat_3.1.ep6.el5
jboss-as-ee-deployment-0:7.3.1-2.Final_redhat_3.1.ep6.el5
jboss-as-ejb3-0:7.3.1-3.Final_redhat_3.1.ep6.el5
jboss-as-embedded-0:7.3.1-2.Final_redhat_3.1.ep6.el5
jboss-as-host-controller-0:7.3.1-3.Final_redhat_3.1.ep6.el5
jboss-as-jacorb-0:7.3.1-3.Final_redhat_3.1.ep6.el5
jboss-as-jaxr-0:7.3.1-2.Final_redhat_3.1.ep6.el5
jboss-as-jaxrs-0:7.3.1-2.Final_redhat_3.1.ep6.el5
jboss-as-jdr-0:7.3.1-2.Final_redhat_3.1.ep6.el5
jboss-as-jmx-0:7.3.1-3.Final_redhat_3.1.ep6.el5
jboss-as-jpa-0:7.3.1-3.Final_redhat_3.1.ep6.el5
jboss-as-jsf-0:7.3.1-2.Final_redhat_3.1.ep6.el5
jboss-as-jsr77-0:7.3.1-2.Final_redhat_3.1.ep6.el5
jboss-as-logging-0:7.3.1-3.Final_redhat_3.1.ep6.el5
jboss-as-mail-0:7.3.1-2.Final_redhat_3.1.ep6.el5
jboss-as-management-client-content-0:7.3.1-2.Final_redhat_3.1.ep6.el5
jboss-as-messaging-0:7.3.1-3.Final_redhat_3.1.ep6.el5
jboss-as-modcluster-0:7.3.1-2.Final_redhat_3.1.ep6.el5
jboss-as-naming-0:7.3.1-3.Final_redhat_3.1.ep6.el5
jboss-as-network-0:7.3.1-2.Final_redhat_3.1.ep6.el5
jboss-as-osgi-0:7.3.1-4.Final_redhat_3.1.ep6.el5
jboss-as-osgi-configadmin-0:7.3.1-4.Final_redhat_3.1.ep6.el5
jboss-as-osgi-service-0:7.3.1-2.Final_redhat_3.1.ep6.el5
jboss-as-platform-mbean-0:7.3.1-2.Final_redhat_3.1.ep6.el5
jboss-as-pojo-0:7.3.1-2.Final_redhat_3.1.ep6.el5
jboss-as-process-controller-0:7.3.1-3.Final_redhat_3.1.ep6.el5
jboss-as-protocol-0:7.3.1-2.Final_redhat_3.1.ep6.el5
jboss-as-remoting-0:7.3.1-3.Final_redhat_3.1.ep6.el5
jboss-as-sar-0:7.3.1-2.Final_redhat_3.1.ep6.el5
jboss-as-security-0:7.3.1-3.Final_redhat_3.1.ep6.el5
jboss-as-server-0:7.3.1-3.Final_redhat_3.1.ep6.el5
jboss-as-system-jmx-0:7.3.1-2.Final_redhat_3.1.ep6.el5
jboss-as-threads-0:7.3.1-2.Final_redhat_3.1.ep6.el5
jboss-as-transactions-0:7.3.1-2.Final_redhat_3.1.ep6.el5
jboss-as-version-0:7.3.1-4.Final_redhat_3.1.ep6.el5
jboss-as-web-0:7.3.1-3.Final_redhat_3.1.ep6.el5
jboss-as-webservices-0:7.3.1-3.Final_redhat_3.1.ep6.el5
jboss-as-weld-0:7.3.1-4.Final_redhat_3.1.ep6.el5
jboss-as-xts-0:7.3.1-2.Final_redhat_3.1.ep6.el5
jboss-logmanager-0:1.5.2-1.Final_redhat_1.1.ep6.el5
jboss-marshalling-0:1.4.3-1.Final_redhat_1.1.ep6.el5
jboss-xnio-base-0:3.0.9-1.GA_redhat_1.1.ep6.el5
jbossas-core-0:7.3.1-5.Final_redhat_3.1.ep6.el5
jbossas-javadocs-0:7.3.1-3.Final_redhat_3.ep6.el5
jbossas-modules-eap-0:7.3.1-6.Final_redhat_3.1.ep6.el5
jbossweb-0:7.3.0-1.Final_redhat_1.1.ep6.el5
netty-0:3.6.7-1.Final_redhat_1.1.ep6.el5
picketbox-0:4.0.19-2.SP3_redhat_1.1.ep6.el5
weld-core-0:1.1.17-1.Final_redhat_1.1.ep6.el5
xml-security-0:1.5.6-1.redhat_1.1.ep6.el5
xmltooling-0:1.3.4-5.redhat_3.1.ep6.el5
hornetq-0:2.3.14-1.Final_redhat_1.1.ep6.el6
jacorb-jboss-0:2.3.2-13.redhat_6.1.ep6.el6
jboss-as-appclient-0:7.3.1-3.Final_redhat_3.1.ep6.el6
jboss-as-cli-0:7.3.1-4.Final_redhat_3.1.ep6.el6
jboss-as-client-all-0:7.3.1-4.Final_redhat_3.1.ep6.el6
jboss-as-clustering-0:7.3.1-3.Final_redhat_3.1.ep6.el6
jboss-as-cmp-0:7.3.1-2.Final_redhat_3.1.ep6.el6
jboss-as-configadmin-0:7.3.1-2.Final_redhat_3.1.ep6.el6
jboss-as-connector-0:7.3.1-4.Final_redhat_3.1.ep6.el6
jboss-as-controller-0:7.3.1-3.Final_redhat_3.1.ep6.el6
jboss-as-controller-client-0:7.3.1-2.Final_redhat_3.1.ep6.el6
jboss-as-core-security-0:7.3.1-2.Final_redhat_3.1.ep6.el6
jboss-as-deployment-repository-0:7.3.1-2.Final_redhat_3.1.ep6.el6
jboss-as-deployment-scanner-0:7.3.1-2.Final_redhat_3.1.ep6.el6
jboss-as-domain-http-0:7.3.1-3.Final_redhat_3.1.ep6.el6
jboss-as-domain-management-0:7.3.1-3.Final_redhat_3.1.ep6.el6
jboss-as-ee-0:7.3.1-3.Final_redhat_3.1.ep6.el6
jboss-as-ee-deployment-0:7.3.1-2.Final_redhat_3.1.ep6.el6
jboss-as-ejb3-0:7.3.1-3.Final_redhat_3.1.ep6.el6
jboss-as-embedded-0:7.3.1-2.Final_redhat_3.1.ep6.el6
jboss-as-host-controller-0:7.3.1-3.Final_redhat_3.1.ep6.el6
jboss-as-jacorb-0:7.3.1-3.Final_redhat_3.1.ep6.el6
jboss-as-jaxr-0:7.3.1-2.Final_redhat_3.1.ep6.el6
jboss-as-jaxrs-0:7.3.1-2.Final_redhat_3.1.ep6.el6
jboss-as-jdr-0:7.3.1-2.Final_redhat_3.1.ep6.el6
jboss-as-jmx-0:7.3.1-3.Final_redhat_3.1.ep6.el6
jboss-as-jpa-0:7.3.1-3.Final_redhat_3.1.ep6.el6
jboss-as-jsf-0:7.3.1-2.Final_redhat_3.1.ep6.el6
jboss-as-jsr77-0:7.3.1-2.Final_redhat_3.1.ep6.el6
jboss-as-logging-0:7.3.1-3.Final_redhat_3.1.ep6.el6
jboss-as-mail-0:7.3.1-2.Final_redhat_3.1.ep6.el6
jboss-as-management-client-content-0:7.3.1-2.Final_redhat_3.1.ep6.el6
jboss-as-messaging-0:7.3.1-3.Final_redhat_3.1.ep6.el6
jboss-as-modcluster-0:7.3.1-2.Final_redhat_3.1.ep6.el6
jboss-as-naming-0:7.3.1-3.Final_redhat_3.1.ep6.el6
jboss-as-network-0:7.3.1-2.Final_redhat_3.1.ep6.el6
jboss-as-osgi-0:7.3.1-4.Final_redhat_3.1.ep6.el6
jboss-as-osgi-configadmin-0:7.3.1-4.Final_redhat_3.1.ep6.el6
jboss-as-osgi-service-0:7.3.1-2.Final_redhat_3.1.ep6.el6
jboss-as-platform-mbean-0:7.3.1-2.Final_redhat_3.1.ep6.el6
jboss-as-pojo-0:7.3.1-2.Final_redhat_3.1.ep6.el6
jboss-as-process-controller-0:7.3.1-3.Final_redhat_3.1.ep6.el6
jboss-as-protocol-0:7.3.1-2.Final_redhat_3.1.ep6.el6
jboss-as-remoting-0:7.3.1-3.Final_redhat_3.1.ep6.el6
jboss-as-sar-0:7.3.1-2.Final_redhat_3.1.ep6.el6
jboss-as-security-0:7.3.1-3.Final_redhat_3.1.ep6.el6
jboss-as-server-0:7.3.1-3.Final_redhat_3.1.ep6.el6
jboss-as-system-jmx-0:7.3.1-2.Final_redhat_3.1.ep6.el6
jboss-as-threads-0:7.3.1-2.Final_redhat_3.1.ep6.el6
jboss-as-transactions-0:7.3.1-2.Final_redhat_3.1.ep6.el6
jboss-as-version-0:7.3.1-4.Final_redhat_3.1.ep6.el6
jboss-as-web-0:7.3.1-3.Final_redhat_3.1.ep6.el6
jboss-as-webservices-0:7.3.1-3.Final_redhat_3.1.ep6.el6
jboss-as-weld-0:7.3.1-4.Final_redhat_3.1.ep6.el6
jboss-as-xts-0:7.3.1-2.Final_redhat_3.1.ep6.el6
jboss-logmanager-0:1.5.2-1.Final_redhat_1.1.ep6.el6
jboss-marshalling-0:1.4.3-1.Final_redhat_1.1.ep6.el6
jboss-xnio-base-0:3.0.9-1.GA_redhat_1.1.ep6.el6
jbossas-core-0:7.3.1-5.Final_redhat_3.1.ep6.el6
jbossas-javadocs-0:7.3.1-3.Final_redhat_3.ep6.el6
jbossas-modules-eap-0:7.3.1-6.Final_redhat_3.1.ep6.el6
jbossweb-0:7.3.0-1.Final_redhat_1.1.ep6.el6
netty-0:3.6.7-1.Final_redhat_1.1.ep6.el6
picketbox-0:4.0.19-2.SP3_redhat_1.1.ep6.el6
weld-core-0:1.1.17-1.Final_redhat_1.1.ep6.el6
xml-security-0:1.5.6-1.redhat_1.1.ep6.el6
xmltooling-0:1.3.4-5.redhat_3.1.ep6.el6
xml-security-0:1.5.6-3.el6
xml-security-0:1.5.6-3.ep5.el4
xml-security-0:1.5.6-3.ep5.el5
xml-security-0:1.5.6-3.el6
xml-security-0:1.5.6-3.ep5.el4
xml-security-0:1.5.6-3.ep5.el5

refmap via4

bid	64437
confirm	http://packetstormsecurity.com/files/124554/Java-XML-Signature-Denial-Of-Service-Attack.html http://santuario.apache.org/secadv.data/cve-2013-4517.txt.asc https://www.tenable.com/security/tns-2018-15
fulldisc	20131218 Apache Santuario security advisory CVE-2013-4517 released
mlist	[santuario-commits] 20190823 svn commit: r1049214 - in /websites/production/santuario/content: cache/main.pageCache download.html index.html javaindex.html javareleasenotes.html secadv.data/CVE-2019-12400.asc secadv.html
osvdb	101169
sectrack	1029524
secunia	55639
xf	santuario-xmlsecurity-cve20134517-dos(89891)

Last major update

18-04-2023 - 19:07

Published

11-01-2014 - 01:55

Last modified

18-04-2023 - 19:07