Improper verification of cryptographic signature in Apache Santuario XML Security for Java - CVE-2013-2172

 

Improper verification of cryptographic signature in Apache Santuario XML Security for Java - CVE-2013-2172

Published: March 13, 2023


Vulnerability identifier: #VU73270
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2013-2172
CWE-ID: CWE-347
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Apache Foundation
Affected software:
Apache Santuario XML Security for Java

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to improper verification of signature in jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java. A remote attacker can spoof the XML signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature".


How to mitigate CVE-2013-2172

Install updates from vendor's website.

Sources