CVE Database

CVE-2013-2172

Impact: Moderate
Public: 2013-06-25
CWE: CWE-290
Bugzilla: 999263: CVE-2013-2172 Apache Santuario XML Security for Java: XML signature spoofing
IAVA: 2013-A-0177

Details

A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially crafted XML signature block.

Find out more about CVE-2013-2172 from the MITRE CVE dictionary and NIST NVD.

CVSS v2 metrics

Base Score: 5.8
Base Metrics: AV:N/AC:M/Au:N/C:P/I:P/A:N
Access Vector: Network
Access Complexity: Medium
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat security errata

Platform Errata Release Date
Fuse ESB Enterprise 7.1.0 RHSA-2014:1369 October 09, 2014
Fuse MQ Enterprise 7.1.0 RHSA-2014:1369 October 09, 2014
Fuse Management Console 7.1.0 RHSA-2014:1369 October 09, 2014
JBoss Enterprise BRMS Platform 5.3 RHSA-2013:1375 September 30, 2013
Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS (xml-security) RHSA-2013:1217 September 09, 2013
Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server (xml-security) RHSA-2013:1217 September 09, 2013
Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server (xml-security) RHSA-2013:1217 September 09, 2013
Red Hat JBoss Enterprise Application Platform 5.2 (xml-security) RHSA-2013:1218 September 09, 2013
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server RHSA-2013:1207 September 04, 2013
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server RHSA-2013:1208 September 04, 2013
Red Hat JBoss Enterprise Application Platform 6.1 RHSA-2013:1209 September 04, 2013
Red Hat JBoss Fuse 6.1 RHSA-2014:0400 April 14, 2014
Red Hat JBoss Operations Network 3.2 RHSA-2013:1853 December 17, 2013
Red Hat JBoss Portal Platform 6.1 RHSA-2013:1437 October 16, 2013
Red Hat JBoss SOA Platform 5.3 RHSA-2014:0212 February 25, 2014
Red Hat JBoss Web Platform 5 for RHEL 4 AS (xml-security) RHSA-2013:1219 September 09, 2013
Red Hat JBoss Web Platform 5 for RHEL 5 Server (xml-security) RHSA-2013:1219 September 09, 2013
Red Hat JBoss Web Platform 5 for RHEL 6 Server (xml-security) RHSA-2013:1219 September 09, 2013
Red Hat JBoss Web Platform 5.2 (xml-security) RHSA-2013:1220 September 09, 2013

External References

http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact the Red Hat Security Response Team.