{"url":"http://public2.vulnerablecode.io/api/packages/20393?format=json","purl":"pkg:maven/xml-security/xmlsec@1.5","type":"maven","namespace":"xml-security","name":"xmlsec","version":"1.5","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4933?format=json","vulnerability_id":"VCID-64x5-tgkj-9qb9","summary":"jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak \"canonicalization algorithm to apply to the SignedInfo part of the Signature.\"","references":[{"reference_url":"http://rhn.redhat.com/errata/RHSA-2013-1207.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2013-1207.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2013-1208.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2013-1208.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2013-1209.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2013-1209.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2013-1217.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2013-1217.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2013-1218.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2013-1218.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2013-1219.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2013-1219.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2013-1220.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2013-1220.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2013-1375.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2013-1375.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2013-1437.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2013-1437.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2013-1853.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2013-1853.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2014-0212.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2014-0212.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-2172.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-2172.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2172","reference_id":"","reference_type":"","scores":[{"value":"0.05394","scoring_system":"epss","scoring_elements":"0.90081","published_at":"2026-04-01T12:55:00Z"},{"value":"0.05394","scoring_system":"epss","scoring_elements":"0.90152","published_at":"2026-04-26T12:55:00Z"},{"value":"0.05394","scoring_system":"epss","scoring_elements":"0.90153","published_at":"2026-04-24T12:55:00Z"},{"value":"0.05394","scoring_system":"epss","scoring_elements":"0.90137","published_at":"2026-04-21T12:55:00Z"},{"value":"0.05394","scoring_system":"epss","scoring_elements":"0.90141","published_at":"2026-04-18T12:55:00Z"},{"value":"0.05394","scoring_system":"epss","scoring_elements":"0.90123","published_at":"2026-04-13T12:55:00Z"},{"value":"0.05394","scoring_system":"epss","scoring_elements":"0.90129","published_at":"2026-04-12T12:55:00Z"},{"value":"0.05394","scoring_system":"epss","scoring_elements":"0.9013","published_at":"2026-04-11T12:55:00Z"},{"value":"0.05394","scoring_system":"epss","scoring_elements":"0.90121","published_at":"2026-04-09T12:55:00Z"},{"value":"0.05394","scoring_system":"epss","scoring_elements":"0.90115","published_at":"2026-04-08T12:55:00Z"},{"value":"0.05394","scoring_system":"epss","scoring_elements":"0.901","published_at":"2026-04-07T12:55:00Z"},{"value":"0.05394","scoring_system":"epss","scoring_elements":"0.90095","published_at":"2026-04-04T12:55:00Z"},{"value":"0.05394","scoring_system":"epss","scoring_elements":"0.90084","published_at":"2026-04-02T12:55:00Z"},{"value":"0.06494","scoring_system":"epss","scoring_elements":"0.91132","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2172"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2172","reference_id":"","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2172"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2172","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2172"},{"reference_url":"http://seclists.org/fulldisclosure/2014/Dec/23","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://seclists.org/fulldisclosure/2014/Dec/23"},{"reference_url":"https://github.com/apache/santuario-java","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/santuario-java"},{"reference_url":"https://github.com/apache/santuario-java/commit/25e0e11493b061749f778030036cb5c406b34590","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/santuario-java/commit/25e0e11493b061749f778030036cb5c406b34590"},{"reference_url":"https://github.com/apache/santuario-java/commit/8e8f8bf92a43608d7d5f9e357fae19244454a61f","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/santuario-java/commit/8e8f8bf92a43608d7d5f9e357fae19244454a61f"},{"reference_url":"https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3@%3Ccommits.santuario.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3@%3Ccommits.santuario.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd@%3Ccommits.santuario.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd@%3Ccommits.santuario.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2013-2172","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2013-2172"},{"reference_url":"http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876&r2=1493772&pathrev=1493772&diff_format=h","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876&r2=1493772&pathrev=1493772&diff_format=h"},{"reference_url":"https://web.archive.org/web/20160317145515/http://www.securityfocus.com/archive/1/534161/100/0/threaded","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20160317145515/http://www.securityfocus.com/archive/1/534161/100/0/threaded"},{"reference_url":"https://web.archive.org/web/20200228060314/http://www.securityfocus.com/bid/60846","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200228060314/http://www.securityfocus.com/bid/60846"},{"reference_url":"http://www.debian.org/security/2014/dsa-3065","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2014/dsa-3065"},{"reference_url":"http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html"},{"reference_url":"http://www.ubuntu.com/usn/USN-2028-1","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.ubuntu.com/usn/USN-2028-1"},{"reference_url":"http://www.vmware.com/security/advisories/VMSA-2014-0012.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.vmware.com/security/advisories/VMSA-2014-0012.html"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720375","reference_id":"720375","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720375"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=999263","reference_id":"999263","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=999263"},{"reference_url":"http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc","reference_id":"CVE-2013-2172.TXT.ASC","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc"},{"reference_url":"https://github.com/advisories/GHSA-r237-w2w6-jq3p","reference_id":"GHSA-r237-w2w6-jq3p","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r237-w2w6-jq3p"},{"reference_url":"https://access.redhat.com/errata/RHSA-2013:1207","reference_id":"RHSA-2013:1207","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2013:1207"},{"reference_url":"https://access.redhat.com/errata/RHSA-2013:1208","reference_id":"RHSA-2013:1208","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2013:1208"},{"reference_url":"https://access.redhat.com/errata/RHSA-2013:1209","reference_id":"RHSA-2013:1209","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2013:1209"},{"reference_url":"https://access.redhat.com/errata/RHSA-2013:1217","reference_id":"RHSA-2013:1217","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2013:1217"},{"reference_url":"https://access.redhat.com/errata/RHSA-2013:1218","reference_id":"RHSA-2013:1218","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2013:1218"},{"reference_url":"https://access.redhat.com/errata/RHSA-2013:1219","reference_id":"RHSA-2013:1219","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2013:1219"},{"reference_url":"https://access.redhat.com/errata/RHSA-2013:1220","reference_id":"RHSA-2013:1220","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2013:1220"},{"reference_url":"https://access.redhat.com/errata/RHSA-2013:1375","reference_id":"RHSA-2013:1375","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2013:1375"},{"reference_url":"https://access.redhat.com/errata/RHSA-2013:1437","reference_id":"RHSA-2013:1437","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2013:1437"},{"reference_url":"https://access.redhat.com/errata/RHSA-2013:1853","reference_id":"RHSA-2013:1853","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2013:1853"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:0212","reference_id":"RHSA-2014:0212","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2014:0212"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:0400","reference_id":"RHSA-2014:0400","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2014:0400"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:1369","reference_id":"RHSA-2014:1369","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2014:1369"},{"reference_url":"https://usn.ubuntu.com/2028-1/","reference_id":"USN-2028-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/2028-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/20396?format=json","purl":"pkg:maven/xml-security/xmlsec@1.5.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-h8wa-77tk-m3av"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/xml-security/xmlsec@1.5.5"}],"aliases":["CVE-2013-2172","GHSA-r237-w2w6-jq3p"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-64x5-tgkj-9qb9"}],"fixing_vulnerabilities":[],"risk_score":"3.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/xml-security/xmlsec@1.5"}