VulnerableCode Package Details - pkg:deb/debian/libxml-security-java@1.5.6-1

Search for packages

Vulnerability	Summary	Fixed by
VCID-46y3-rx34-pyc6 Aliases: CVE-2021-40690 GHSA-j8wc-gxx9-82hx	Exposure of Sensitive Information to an Unauthorized Actor All versions of Apache Santuario - XML Security for Java is vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.	2.0.10-2+deb10u1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 2.0.10-2+deb11u1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-46y3-rx34-pyc6
Aliases:
CVE-2021-40690
GHSA-j8wc-gxx9-82hx

Exposure of Sensitive Information to an Unauthorized Actor All versions of Apache Santuario - XML Security for Java is vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

2.0.10-2+deb10u1
Affected by 1 other vulnerability.

2.0.10-2+deb11u1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-64x5-tgkj-9qb9	jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."	CVE-2013-2172 GHSA-r237-w2w6-jq3p
VCID-h8wa-77tk-m3av	Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures.	CVE-2013-4517 GHSA-4p4w-6h54-g885

Vulnerability

Summary

Aliases

VCID-64x5-tgkj-9qb9

jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."

CVE-2013-2172
GHSA-r237-w2w6-jq3p

VCID-h8wa-77tk-m3av

Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures.

CVE-2013-4517
GHSA-4p4w-6h54-g885

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-15T23:54:57.991669+00:00	Debian Oval Importer	Affected by	VCID-46y3-rx34-pyc6	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-15T22:27:33.968338+00:00	Debian Oval Importer	Fixing	VCID-h8wa-77tk-m3av	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-15T20:47:40.865696+00:00	Debian Oval Importer	Fixing	VCID-64x5-tgkj-9qb9	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-15T14:55:23.880540+00:00	Debian Oval Importer	Affected by	VCID-46y3-rx34-pyc6	https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2	38.4.0
2026-04-11T23:29:14.197722+00:00	Debian Oval Importer	Affected by	VCID-46y3-rx34-pyc6	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-11T22:04:41.688476+00:00	Debian Oval Importer	Fixing	VCID-h8wa-77tk-m3av	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-11T20:28:34.119821+00:00	Debian Oval Importer	Fixing	VCID-64x5-tgkj-9qb9	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-11T14:43:40.265041+00:00	Debian Oval Importer	Affected by	VCID-46y3-rx34-pyc6	https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2	38.3.0
2026-04-08T23:02:10.129699+00:00	Debian Oval Importer	Affected by	VCID-46y3-rx34-pyc6	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-08T21:41:38.565827+00:00	Debian Oval Importer	Fixing	VCID-h8wa-77tk-m3av	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-08T20:08:56.923406+00:00	Debian Oval Importer	Fixing	VCID-64x5-tgkj-9qb9	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-07T23:16:33.859727+00:00	Debian Oval Importer	Affected by	VCID-46y3-rx34-pyc6	https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2	38.1.0