VulnerableCode Package Details - pkg:deb/debian/libxml-security-java@2.0.10-2%2Bdeb11u1

Search for packages

Vulnerability	Summary	Fixed by
VCID-degg-m3tz-9ubj Aliases: CVE-2019-12400 GHSA-4q98-wr72-h35w	Improper input validation in Apache Santuario XML Security for Java In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x releases before 2.1.4.	2.1.7-3 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-degg-m3tz-9ubj
Aliases:
CVE-2019-12400
GHSA-4q98-wr72-h35w

Improper input validation in Apache Santuario XML Security for Java In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x releases before 2.1.4.

2.1.7-3
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-46y3-rx34-pyc6	Exposure of Sensitive Information to an Unauthorized Actor All versions of Apache Santuario - XML Security for Java is vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.	CVE-2021-40690 GHSA-j8wc-gxx9-82hx

Vulnerability

Summary

Aliases

VCID-46y3-rx34-pyc6

Exposure of Sensitive Information to an Unauthorized Actor All versions of Apache Santuario - XML Security for Java is vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

CVE-2021-40690
GHSA-j8wc-gxx9-82hx

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T13:01:53.234383+00:00	Debian Importer	Affected by	VCID-degg-m3tz-9ubj	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-15T23:54:58.002387+00:00	Debian Oval Importer	Fixing	VCID-46y3-rx34-pyc6	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-13T08:57:24.912539+00:00	Debian Importer	Affected by	VCID-degg-m3tz-9ubj	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T23:29:14.208736+00:00	Debian Oval Importer	Fixing	VCID-46y3-rx34-pyc6	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-08T23:02:10.140765+00:00	Debian Oval Importer	Fixing	VCID-46y3-rx34-pyc6	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-08T19:57:38.582388+00:00	Debian Importer	Affected by	VCID-degg-m3tz-9ubj	https://security-tracker.debian.org/tracker/data/json	38.1.0