VulnerableCode Package Details - pkg:maven/org.apache.santuario/xmlsec@2.0.3

Search for packages

Vulnerability	Summary	Fixed by
VCID-46y3-rx34-pyc6 Aliases: CVE-2021-40690 GHSA-j8wc-gxx9-82hx	Exposure of Sensitive Information to an Unauthorized Actor All versions of Apache Santuario - XML Security for Java is vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.	2.1.7 Affected by 0 other vulnerabilities. 2.2.3 Affected by 0 other vulnerabilities.
VCID-degg-m3tz-9ubj Aliases: CVE-2019-12400 GHSA-4q98-wr72-h35w	Improper input validation in Apache Santuario XML Security for Java In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x releases before 2.1.4.	2.1.4 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-46y3-rx34-pyc6
Aliases:
CVE-2021-40690
GHSA-j8wc-gxx9-82hx

Exposure of Sensitive Information to an Unauthorized Actor All versions of Apache Santuario - XML Security for Java is vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

2.1.7
Affected by 0 other vulnerabilities.

2.2.3
Affected by 0 other vulnerabilities.

VCID-degg-m3tz-9ubj
Aliases:
CVE-2019-12400
GHSA-4q98-wr72-h35w

Improper input validation in Apache Santuario XML Security for Java In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x releases before 2.1.4.

2.1.4
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-s52q-y45a-f7cw	Apache Santuario XML Security for Java 2.0.x before 2.0.3 allows remote attackers to bypass the streaming XML signature protection mechanism via a crafted XML document.	CVE-2014-8152 GHSA-w7cq-j9p9-hm3m

Vulnerability

Summary

Aliases

VCID-s52q-y45a-f7cw

Apache Santuario XML Security for Java 2.0.x before 2.0.3 allows remote attackers to bypass the streaming XML signature protection mechanism via a crafted XML document.

CVE-2014-8152
GHSA-w7cq-j9p9-hm3m

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T21:31:13.272455+00:00	GitLab Importer	Affected by	VCID-46y3-rx34-pyc6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.santuario/xmlsec/CVE-2021-40690.yml	38.4.0
2026-04-16T20:56:59.087623+00:00	GitLab Importer	Affected by	VCID-degg-m3tz-9ubj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.santuario/xmlsec/CVE-2019-12400.yml	38.4.0
2026-04-16T20:32:10.489678+00:00	GitLab Importer	Fixing	VCID-s52q-y45a-f7cw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.santuario/xmlsec/CVE-2014-8152.yml	38.4.0
2026-04-11T22:44:22.123816+00:00	GitLab Importer	Affected by	VCID-46y3-rx34-pyc6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.santuario/xmlsec/CVE-2021-40690.yml	38.3.0
2026-04-11T22:08:00.891644+00:00	GitLab Importer	Affected by	VCID-degg-m3tz-9ubj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.santuario/xmlsec/CVE-2019-12400.yml	38.3.0
2026-04-11T21:42:33.468215+00:00	GitLab Importer	Fixing	VCID-s52q-y45a-f7cw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.santuario/xmlsec/CVE-2014-8152.yml	38.3.0
2026-04-02T22:54:24.376953+00:00	GitLab Importer	Affected by	VCID-46y3-rx34-pyc6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.santuario/xmlsec/CVE-2021-40690.yml	38.1.0
2026-04-02T22:20:45.316049+00:00	GitLab Importer	Affected by	VCID-degg-m3tz-9ubj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.santuario/xmlsec/CVE-2019-12400.yml	38.1.0
2026-04-02T21:56:41.803134+00:00	GitLab Importer	Fixing	VCID-s52q-y45a-f7cw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.santuario/xmlsec/CVE-2014-8152.yml	38.1.0
2026-04-01T17:12:41.873676+00:00	GitLab Importer	Affected by	VCID-46y3-rx34-pyc6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.santuario/xmlsec/CVE-2021-40690.yml	38.0.0
2026-04-01T16:38:31.524511+00:00	GitLab Importer	Affected by	VCID-degg-m3tz-9ubj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.santuario/xmlsec/CVE-2019-12400.yml	38.0.0
2026-04-01T16:00:53.406704+00:00	GHSA Importer	Fixing	VCID-s52q-y45a-f7cw	https://github.com/advisories/GHSA-w7cq-j9p9-hm3m	38.0.0
2026-04-01T15:57:39.520013+00:00	GHSA Importer	Affected by	VCID-degg-m3tz-9ubj	https://github.com/advisories/GHSA-4q98-wr72-h35w	38.0.0
2026-04-01T13:10:57.647075+00:00	GithubOSV Importer	Fixing	VCID-s52q-y45a-f7cw	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-w7cq-j9p9-hm3m/GHSA-w7cq-j9p9-hm3m.json	38.0.0
2026-04-01T12:46:55.842039+00:00	GitLab Importer	Fixing	VCID-s52q-y45a-f7cw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.santuario/xmlsec/CVE-2014-8152.yml	38.0.0