You are here

CVE-2013-2172

Vincent (CVE) Danen's picture
A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially crafted XML signature block.

Details Source

Red Hat

Public Date

2013-06-25 00:00:00

Impact

Moderate

Bugzilla

CVE-2013-2172 Apache Santuario XML Security for Java: XML signature spoofing

Bugzilla ID

999 263

CVSS Status

verified

Base Score

5.80

Base Metrics

AV:N/AC:M/Au:N/C:P/I:P/A:N

External References

http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server (xml-security) RHSA-2013:1217 2013-09-09
JBoss Enterprise BRMS Platform 5.3 RHSA-2013:1375 2013-09-30
Red Hat JBoss Web Platform 5 for RHEL 5 Server (xml-security) RHSA-2013:1219 2013-09-09
Red Hat JBoss Portal Platform 6.1 RHSA-2013:1437 2013-10-16
Red Hat JBoss Web Platform 5.2 RHSA-2013:1220 2013-09-09
Red Hat JBoss Operations Network 3.2 RHSA-2013:1853 2013-12-17
Red Hat JBoss Web Platform 5 for RHEL 4 AS (xml-security) RHSA-2013:1219 2013-09-09
Red Hat JBoss Enterprise Application Platform 6.1 RHSA-2013:1209 2013-09-04
Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server (xml-security) RHSA-2013:1217 2013-09-09
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server RHSA-2013:1208 2013-09-04
Red Hat JBoss SOA Platform 5.3 RHSA-2014:0212 2014-02-25
Red Hat JBoss Fuse 6.1 RHSA-2014:0400 2014-04-14
Red Hat JBoss Enterprise Application Platform 5.2 RHSA-2013:1218 2013-09-09
Red Hat JBoss Web Platform 5 for RHEL 6 Server (xml-security) RHSA-2013:1219 2013-09-09
Fuse Management Console 7.1.0 RHSA-2014:1369 2014-10-09
Fuse ESB Enterprise 7.1.0 RHSA-2014:1369 2014-10-09
Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS (xml-security) RHSA-2013:1217 2013-09-09
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server RHSA-2013:1207 2013-09-04
Fuse MQ Enterprise 7.1.0 RHSA-2014:1369 2014-10-09

CWE

CWE-290

Affected Packages State

Platform Package State
Red Hat Jboss Portal Platform 4 xmlsec Will not fix
Red Hat Jboss Enterprise SOA Platform 4.3 xmlsec Will not fix
Red Hat Jboss Enterprise SOA Platform 4.2 xmlsec Will not fix
Red Hat Jboss BRMS 5 xmlsec Affected
Red Hat JBoss Portal 5 xmlsec Will not fix
Red Hat JBoss Operations Network 3.1 xmlsec Affected
Red Hat JBoss EAP 5 xmlsec Affected
Red Hat JBoss EAP 4 xmlsec Will not fix