VulnerableCode Package Details - pkg:maven/org.apache.santuario/xmlsec@1.5.5

Search for packages

Vulnerability	Summary	Fixed by
VCID-46y3-rx34-pyc6 Aliases: CVE-2021-40690 GHSA-j8wc-gxx9-82hx	Exposure of Sensitive Information to an Unauthorized Actor All versions of Apache Santuario - XML Security for Java is vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.	2.1.7 Affected by 0 other vulnerabilities. 2.2.3 Affected by 0 other vulnerabilities.
VCID-h8wa-77tk-m3av Aliases: CVE-2013-4517 GHSA-4p4w-6h54-g885	Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures.	1.5.6 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-46y3-rx34-pyc6
Aliases:
CVE-2021-40690
GHSA-j8wc-gxx9-82hx

Exposure of Sensitive Information to an Unauthorized Actor All versions of Apache Santuario - XML Security for Java is vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

2.1.7
Affected by 0 other vulnerabilities.

2.2.3
Affected by 0 other vulnerabilities.

VCID-h8wa-77tk-m3av
Aliases:
CVE-2013-4517
GHSA-4p4w-6h54-g885

Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures.

1.5.6
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-64x5-tgkj-9qb9	jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."	CVE-2013-2172 GHSA-r237-w2w6-jq3p

Vulnerability

Summary

Aliases

VCID-64x5-tgkj-9qb9

jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."

CVE-2013-2172
GHSA-r237-w2w6-jq3p

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T21:31:13.244771+00:00	GitLab Importer	Affected by	VCID-46y3-rx34-pyc6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.santuario/xmlsec/CVE-2021-40690.yml	38.4.0
2026-04-16T20:31:07.591024+00:00	GitLab Importer	Affected by	VCID-h8wa-77tk-m3av	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.santuario/xmlsec/CVE-2013-4517.yml	38.4.0
2026-04-16T20:30:48.228360+00:00	GitLab Importer	Fixing	VCID-64x5-tgkj-9qb9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.santuario/xmlsec/CVE-2013-2172.yml	38.4.0
2026-04-11T22:44:22.087878+00:00	GitLab Importer	Affected by	VCID-46y3-rx34-pyc6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.santuario/xmlsec/CVE-2021-40690.yml	38.3.0
2026-04-11T21:41:29.762202+00:00	GitLab Importer	Affected by	VCID-h8wa-77tk-m3av	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.santuario/xmlsec/CVE-2013-4517.yml	38.3.0
2026-04-11T21:41:13.242535+00:00	GitLab Importer	Fixing	VCID-64x5-tgkj-9qb9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.santuario/xmlsec/CVE-2013-2172.yml	38.3.0
2026-04-02T22:54:24.347139+00:00	GitLab Importer	Affected by	VCID-46y3-rx34-pyc6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.santuario/xmlsec/CVE-2021-40690.yml	38.1.0
2026-04-02T21:55:41.967688+00:00	GitLab Importer	Affected by	VCID-h8wa-77tk-m3av	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.santuario/xmlsec/CVE-2013-4517.yml	38.1.0
2026-04-02T21:55:22.862230+00:00	GitLab Importer	Fixing	VCID-64x5-tgkj-9qb9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.santuario/xmlsec/CVE-2013-2172.yml	38.1.0
2026-04-01T17:12:41.838848+00:00	GitLab Importer	Affected by	VCID-46y3-rx34-pyc6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.santuario/xmlsec/CVE-2021-40690.yml	38.0.0
2026-04-01T16:00:53.505085+00:00	GHSA Importer	Fixing	VCID-64x5-tgkj-9qb9	https://github.com/advisories/GHSA-r237-w2w6-jq3p	38.0.0
2026-04-01T13:08:51.060864+00:00	GithubOSV Importer	Fixing	VCID-64x5-tgkj-9qb9	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-r237-w2w6-jq3p/GHSA-r237-w2w6-jq3p.json	38.0.0
2026-04-01T12:46:51.316796+00:00	GitLab Importer	Affected by	VCID-h8wa-77tk-m3av	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.santuario/xmlsec/CVE-2013-4517.yml	38.0.0
2026-04-01T12:46:50.091527+00:00	GitLab Importer	Fixing	VCID-64x5-tgkj-9qb9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.santuario/xmlsec/CVE-2013-2172.yml	38.0.0