Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-z7ht-bq8z-3qgd
Vulnerability ID VCID-z7ht-bq8z-3qgd
Aliases CVE-2009-0217
GHSA-8hfm-837h-hjg5
Summary XML signature HMAC truncation authentication bypass This package uses a parameter that defines an HMAC truncation length (`HMACOutputLength`) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.01986 https://api.first.org/data/v1/epss?cve=CVE-2009-0217
epss 0.01986 https://api.first.org/data/v1/epss?cve=CVE-2009-0217
epss 0.01986 https://api.first.org/data/v1/epss?cve=CVE-2009-0217
epss 0.01986 https://api.first.org/data/v1/epss?cve=CVE-2009-0217
epss 0.01986 https://api.first.org/data/v1/epss?cve=CVE-2009-0217
epss 0.01986 https://api.first.org/data/v1/epss?cve=CVE-2009-0217
epss 0.01986 https://api.first.org/data/v1/epss?cve=CVE-2009-0217
epss 0.0222 https://api.first.org/data/v1/epss?cve=CVE-2009-0217
epss 0.0222 https://api.first.org/data/v1/epss?cve=CVE-2009-0217
generic_textual MODERATE https://bugzilla.redhat.com/show_bug.cgi?id=511915
generic_textual MODERATE https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-041
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-8hfm-837h-hjg5
generic_textual MODERATE https://gitlab.gnome.org/Archive/xmlsec/-/commit/34b349675af9f72eb822837a8772cc1ead7115c7
generic_textual MODERATE https://issues.apache.org/bugzilla/show_bug.cgi?id=47526
generic_textual MODERATE https://issues.apache.org/bugzilla/show_bug.cgi?id=47527
generic_textual MODERATE https://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html
generic_textual MODERATE https://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html
generic_textual MODERATE https://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html
generic_textual MODERATE https://marc.info/?l=bugtraq&m=125787273209737&w=2
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2009-0217
generic_textual MODERATE https://rhn.redhat.com/errata/RHSA-2009-1428.html
generic_textual MODERATE https://svn.apache.org/viewvc?revision=794013&view=revision
generic_textual MODERATE https://www.debian.org/security/2010/dsa-1995
generic_textual MODERATE https://www.gentoo.org/security/en/glsa/glsa-201408-19.xml
generic_textual MODERATE https://www.kb.cert.org/vuls/id/466161
generic_textual MODERATE https://www.kb.cert.org/vuls/id/MAPG-7TSKXQ
generic_textual MODERATE https://www.kb.cert.org/vuls/id/WDON-7TY529
generic_textual MODERATE https://www.mandriva.com/security/advisories?name=MDVSA-2009:209
generic_textual MODERATE https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html
generic_textual MODERATE https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html
generic_textual MODERATE https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00494.html
generic_textual MODERATE https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00505.html
generic_textual MODERATE https://www.redhat.com/support/errata/RHSA-2009-1694.html
generic_textual MODERATE https://www.ubuntu.com/usn/USN-903-1
generic_textual MODERATE https://www.us-cert.gov/cas/techalerts/TA09-294A.html
generic_textual MODERATE https://www.w3.org/2008/06/xmldsigcore-errata.html#e03
generic_textual MODERATE https://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html
generic_textual MODERATE http://www.us-cert.gov/cas/techalerts/TA10-159B.html
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0217.json
https://api.first.org/data/v1/epss?cve=CVE-2009-0217
https://bugzilla.redhat.com/show_bug.cgi?id=511915
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0217
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-041
https://gitlab.gnome.org/Archive/xmlsec/-/commit/34b349675af9f72eb822837a8772cc1ead7115c7
https://issues.apache.org/bugzilla/show_bug.cgi?id=47526
https://issues.apache.org/bugzilla/show_bug.cgi?id=47527
https://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html
https://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html
https://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html
https://marc.info/?l=bugtraq&m=125787273209737&w=2
https://nvd.nist.gov/vuln/detail/CVE-2009-0217
https://rhn.redhat.com/errata/RHSA-2009-1428.html
https://svn.apache.org/viewvc?revision=794013&view=revision
http://svn.apache.org/viewvc?view=revision&revision=794013
https://www.debian.org/security/2010/dsa-1995
https://www.gentoo.org/security/en/glsa/glsa-201408-19.xml
https://www.kb.cert.org/vuls/id/466161
https://www.kb.cert.org/vuls/id/MAPG-7TSKXQ
https://www.kb.cert.org/vuls/id/WDON-7TY529
https://www.mandriva.com/security/advisories?name=MDVSA-2009:209
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00494.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00505.html
https://www.redhat.com/support/errata/RHSA-2009-1694.html
https://www.ubuntu.com/usn/USN-903-1
https://www.us-cert.gov/cas/techalerts/TA09-294A.html
https://www.w3.org/2008/06/xmldsigcore-errata.html#e03
https://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html
http://www.us-cert.gov/cas/techalerts/TA10-159B.html
CVE-2009-0217 https://bugzilla.redhat.com/CVE-2009-0217
GHSA-8hfm-837h-hjg5 https://github.com/advisories/GHSA-8hfm-837h-hjg5
GLSA-201206-13 https://security.gentoo.org/glsa/201206-13
GLSA-201408-19 https://security.gentoo.org/glsa/201408-19
RHSA-2009:1200 https://access.redhat.com/errata/RHSA-2009:1200
RHSA-2009:1201 https://access.redhat.com/errata/RHSA-2009:1201
RHSA-2009:1428 https://access.redhat.com/errata/RHSA-2009:1428
RHSA-2009:1636 https://access.redhat.com/errata/RHSA-2009:1636
RHSA-2009:1637 https://access.redhat.com/errata/RHSA-2009:1637
RHSA-2009:1649 https://access.redhat.com/errata/RHSA-2009:1649
RHSA-2009:1650 https://access.redhat.com/errata/RHSA-2009:1650
RHSA-2010:0043 https://access.redhat.com/errata/RHSA-2010:0043
USN-814-1 https://usn.ubuntu.com/814-1/
USN-826-1 https://usn.ubuntu.com/826-1/
USN-903-1 https://usn.ubuntu.com/903-1/
No exploits are available.
Exploit Prediction Scoring System (EPSS)
Percentile 0.83529
EPSS Score 0.01986
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:46:45.642038+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.santuario/xmlsec/CVE-2009-0217.yml 38.0.0