github - ghsa-8gwc-x7mg-7p7p

ghsa-8gwc-x7mg-7p7p

Vulnerability from github

Published

2022-05-14 00:02

Modified

2024-03-05 00:33

Summary

Apache XML Security For Java vulnerable to Infinite Loop

Details

Affected versions of xmlsec are subject to a denial of service vulnerability. Should a user check the signature of a message larger than 512 MB, the method expandSize(int newPos) of class org.apache.xml.security.utils.UnsyncByteArrayOutputStream goes in an endless loop. A remote attacker could use this flaw to supply crafted XML that would lead to a denial of service.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.santuario:xmlsec"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "1.4.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.santuario:xmlsec"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.5.0"
            },
            {
              "fixed": "1.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2013-5823"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-08T14:57:18Z",
    "nvd_published_at": "2013-10-16T17:55:00Z",
    "severity": "MODERATE"
  },
  "details": "Affected versions of xmlsec are subject to a denial of service vulnerability. Should a user check the signature of a message larger than 512 MB, the method `expandSize(int newPos)` of class `org.apache.xml.security.utils.UnsyncByteArrayOutputStream` goes in an endless loop. A remote attacker could use this flaw to supply crafted XML that would lead to a denial of service.",
  "id": "GHSA-8gwc-x7mg-7p7p",
  "modified": "2024-03-05T00:33:21Z",
  "published": "2022-05-14T00:02:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-5823"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/santuario-java/commit/55a48497dfbf3fe63a81e67c13160b3f41ebb1f3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/santuario-java/commit/cea3c91106fb8be35e2f1bb3f1fe0cfddd0ec710"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/santuario-java/commit/f9a61f2df9473237aa71308c28113540b4063d33"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2014:0414"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-5823"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/SANTUARIO-334"
    },
    {
      "type": "WEB",
      "url": "https://lists.opensuse.org/opensuse-updates/2013-11/msg00023.html"
    },
    {
      "type": "WEB",
      "url": "https://marc.info/?l=bugtraq\u0026m=138674031212883\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "https://marc.info/?l=bugtraq\u0026m=138674073720143\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/glsa-201406-32.xml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Apache XML Security For Java vulnerable to Infinite Loop"
}

CVE-2013-5823 (GCVE-0-2013-5823)

Vulnerability from cvelistv5

Published

2013-10-16 17:31

Modified

2024-08-06 17:22

Severity ?

CWE

Summary

Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect availability via unknown vectors related to Security.

References

URL

Tags

	https://access.redhat.com/errata/RHSA-2014:0414	vendor-advisory, x_refsource_REDHAT
	http://security.gentoo.org/glsa/glsa-201406-32.xml	vendor-advisory, x_refsource_GENTOO
	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18783	vdb-entry, signature, x_refsource_OVAL
	http://rhn.redhat.com/errata/RHSA-2013-1447.html	vendor-advisory, x_refsource_REDHAT
	http://rhn.redhat.com/errata/RHSA-2013-1440.html	vendor-advisory, x_refsource_REDHAT
	http://www.ubuntu.com/usn/USN-2033-1	vendor-advisory, x_refsource_UBUNTU
	http://www.ubuntu.com/usn/USN-2089-1	vendor-advisory, x_refsource_UBUNTU
	http://rhn.redhat.com/errata/RHSA-2013-1508.html	vendor-advisory, x_refsource_REDHAT
	http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00013.html	vendor-advisory, x_refsource_SUSE
	http://marc.info/?l=bugtraq&m=138674073720143&w=2	vendor-advisory, x_refsource_HP
	http://rhn.redhat.com/errata/RHSA-2013-1505.html	vendor-advisory, x_refsource_REDHAT
	http://www-01.ibm.com/support/docview.wss?uid=swg21655201	x_refsource_CONFIRM
	http://marc.info/?l=bugtraq&m=138674031212883&w=2	vendor-advisory, x_refsource_HP
	http://lists.opensuse.org/opensuse-updates/2013-11/msg00023.html	vendor-advisory, x_refsource_SUSE
	http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00010.html	vendor-advisory, x_refsource_SUSE
	http://rhn.redhat.com/errata/RHSA-2013-1793.html	vendor-advisory, x_refsource_REDHAT
	http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html	x_refsource_CONFIRM
	http://lists.apple.com/archives/security-announce/2013/Oct/msg00001.html	vendor-advisory, x_refsource_APPLE
	http://rhn.redhat.com/errata/RHSA-2013-1507.html	vendor-advisory, x_refsource_REDHAT
	http://support.apple.com/kb/HT5982	x_refsource_CONFIRM
	http://rhn.redhat.com/errata/RHSA-2013-1451.html	vendor-advisory, x_refsource_REDHAT
	http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS13-025/index.html	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website