Red Hat Customer Portal

Skip to main content

CVE-2013-2172

Impact:
Moderate
Public Date:
2013-06-25
CWE:
CWE-290
Bugzilla:
999263: CVE-2013-2172 Apache Santuario XML Security for Java: XML signature spoofing
A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially crafted XML signature block.

Find out more about CVE-2013-2172 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.

Base Score 5.8
Base Metrics AV:N/AC:M/Au:N/C:P/I:P/A:N
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server (xml-security) RHSA-2013:1217 2013-09-09
JBoss Enterprise BRMS Platform 5.3 RHSA-2013:1375 2013-09-30
Red Hat JBoss Web Platform 5 for RHEL 5 Server (xml-security) RHSA-2013:1219 2013-09-09
Red Hat JBoss Portal Platform 6.1 RHSA-2013:1437 2013-10-16
Red Hat JBoss Web Platform 5.2 RHSA-2013:1220 2013-09-09
Red Hat JBoss Operations Network 3.2 RHSA-2013:1853 2013-12-17
Red Hat JBoss Web Platform 5 for RHEL 4 AS (xml-security) RHSA-2013:1219 2013-09-09
Red Hat JBoss Enterprise Application Platform 6.1 RHSA-2013:1209 2013-09-04
Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server (xml-security) RHSA-2013:1217 2013-09-09
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server RHSA-2013:1208 2013-09-04
Red Hat JBoss SOA Platform 5.3 RHSA-2014:0212 2014-02-25
Red Hat JBoss Fuse 6.1 RHSA-2014:0400 2014-04-14
Red Hat JBoss Enterprise Application Platform 5.2 RHSA-2013:1218 2013-09-09
Red Hat JBoss Web Platform 5 for RHEL 6 Server (xml-security) RHSA-2013:1219 2013-09-09
Fuse Management Console 7.1.0 RHSA-2014:1369 2014-10-09
Fuse ESB Enterprise 7.1.0 RHSA-2014:1369 2014-10-09
Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS (xml-security) RHSA-2013:1217 2013-09-09
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server RHSA-2013:1207 2013-09-04
Fuse MQ Enterprise 7.1.0 RHSA-2014:1369 2014-10-09

Affected Packages State

Platform Package State
Red Hat Jboss Enterprise SOA Platform 4.2 xmlsec Will not fix
Red Hat Jboss Enterprise SOA Platform 4.3 xmlsec Will not fix
Red Hat Jboss Portal Platform 4 xmlsec Will not fix
Red Hat JBoss EAP 4 xmlsec Will not fix
Red Hat Jboss BRMS 5 xmlsec Affected
Red Hat JBoss EAP 5 xmlsec Affected
Red Hat JBoss Portal 5 xmlsec Will not fix
Red Hat JBoss Operations Network 3.1 xmlsec Affected

External References

Last Modified