VulnerableCode Package Details - pkg:deb/debian/libxml-security-java@2.1.7-1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-46y3-rx34-pyc6	Exposure of Sensitive Information to an Unauthorized Actor All versions of Apache Santuario - XML Security for Java is vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.	CVE-2021-40690 GHSA-j8wc-gxx9-82hx
VCID-degg-m3tz-9ubj	Improper input validation in Apache Santuario XML Security for Java In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x releases before 2.1.4.	CVE-2019-12400 GHSA-4q98-wr72-h35w

Vulnerability

Summary

Aliases

VCID-46y3-rx34-pyc6

Exposure of Sensitive Information to an Unauthorized Actor All versions of Apache Santuario - XML Security for Java is vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

CVE-2021-40690
GHSA-j8wc-gxx9-82hx

VCID-degg-m3tz-9ubj

Improper input validation in Apache Santuario XML Security for Java In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x releases before 2.1.4.

CVE-2019-12400
GHSA-4q98-wr72-h35w

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T11:20:39.230789+00:00	Debian Importer	Fixing	VCID-46y3-rx34-pyc6	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T07:43:18.744096+00:00	Debian Importer	Fixing	VCID-46y3-rx34-pyc6	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:30:03.081462+00:00	Debian Importer	Fixing	VCID-46y3-rx34-pyc6	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:30:03.045536+00:00	Debian Importer	Fixing	VCID-degg-m3tz-9ubj	https://security-tracker.debian.org/tracker/data/json	38.1.0