VulnerableCode Package Details - pkg:deb/debian/libxml-security-java@2.1.8-1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-46y3-rx34-pyc6	Exposure of Sensitive Information to an Unauthorized Actor All versions of Apache Santuario - XML Security for Java is vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.	CVE-2021-40690 GHSA-j8wc-gxx9-82hx
VCID-64x5-tgkj-9qb9	jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."	CVE-2013-2172 GHSA-r237-w2w6-jq3p
VCID-degg-m3tz-9ubj	Improper input validation in Apache Santuario XML Security for Java In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x releases before 2.1.4.	CVE-2019-12400 GHSA-4q98-wr72-h35w
VCID-h8wa-77tk-m3av	Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures.	CVE-2013-4517 GHSA-4p4w-6h54-g885
VCID-s52q-y45a-f7cw	Apache Santuario XML Security for Java 2.0.x before 2.0.3 allows remote attackers to bypass the streaming XML signature protection mechanism via a crafted XML document.	CVE-2014-8152 GHSA-w7cq-j9p9-hm3m

Vulnerability

Summary

Aliases

VCID-46y3-rx34-pyc6

Exposure of Sensitive Information to an Unauthorized Actor All versions of Apache Santuario - XML Security for Java is vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

CVE-2021-40690
GHSA-j8wc-gxx9-82hx

VCID-64x5-tgkj-9qb9

jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."

CVE-2013-2172
GHSA-r237-w2w6-jq3p

VCID-degg-m3tz-9ubj

Improper input validation in Apache Santuario XML Security for Java In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x releases before 2.1.4.

CVE-2019-12400
GHSA-4q98-wr72-h35w

VCID-h8wa-77tk-m3av

Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures.

CVE-2013-4517
GHSA-4p4w-6h54-g885

VCID-s52q-y45a-f7cw

Apache Santuario XML Security for Java 2.0.x before 2.0.3 allows remote attackers to bypass the streaming XML signature protection mechanism via a crafted XML document.

CVE-2014-8152
GHSA-w7cq-j9p9-hm3m

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T11:30:56.072299+00:00	Debian Importer	Fixing	VCID-64x5-tgkj-9qb9	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T11:20:39.245203+00:00	Debian Importer	Fixing	VCID-46y3-rx34-pyc6	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:57:59.823441+00:00	Debian Importer	Fixing	VCID-h8wa-77tk-m3av	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:38:29.239085+00:00	Debian Importer	Fixing	VCID-s52q-y45a-f7cw	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T07:50:54.727118+00:00	Debian Importer	Fixing	VCID-64x5-tgkj-9qb9	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:43:18.776318+00:00	Debian Importer	Fixing	VCID-46y3-rx34-pyc6	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:26:22.208246+00:00	Debian Importer	Fixing	VCID-h8wa-77tk-m3av	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:11:38.424236+00:00	Debian Importer	Fixing	VCID-s52q-y45a-f7cw	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:30:03.097624+00:00	Debian Importer	Fixing	VCID-46y3-rx34-pyc6	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:30:03.056445+00:00	Debian Importer	Fixing	VCID-degg-m3tz-9ubj	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:30:03.012643+00:00	Debian Importer	Fixing	VCID-s52q-y45a-f7cw	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:30:02.977514+00:00	Debian Importer	Fixing	VCID-h8wa-77tk-m3av	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:30:02.934997+00:00	Debian Importer	Fixing	VCID-64x5-tgkj-9qb9	https://security-tracker.debian.org/tracker/data/json	38.1.0