Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Address CVE-2021-40690

Description

All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

Acceptance / Success Criteria

None

Activity

Show:

Christian Pape June 7, 2024 at 6:49 AM

Merged.

Christian Pape June 5, 2024 at 1:16 PM

Benjamin Reed March 25, 2024 at 3:56 PM

I believe this is fixable by updating to the latest 2.x or even 3.x without breaking things (It appears the only breaking change from 1.x to 2.x was no longer supporting JDK 1.5)

Fixed

Details

Assignee

Reporter

HB Grooming Date

HB Backlog Status

Sprint

Fix versions

Affects versions

Priority

Parent

PagerDuty

Created March 19, 2024 at 11:08 AM
Updated June 7, 2024 at 6:49 AM
Resolved June 7, 2024 at 6:49 AM