#VU73268 Improper Verification of Cryptographic Signature in Apache Santuario XML Security for Java - CVE-2014-8152
Published: March 13, 2023
Vulnerability identifier: #VU73268
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2014-8152
CWE-ID: CWE-347
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Apache Santuario XML Security for Java
Apache Santuario XML Security for Java
Software vendor:
Apache Foundation
Apache Foundation
Description
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improper signature validation mechanism. A remote attacker can modify the XML document in the way that it appears to be valid for the streaming XML signature protection mechanism.
Remediation
Install updates from vendor's website.
External links
- http://www.securitytracker.com/id/1031556
- http://seclists.org/oss-sec/2015/q1/181
- http://santuario.apache.org/secadv.data/CVE-2014-8152.txt.asc
- https://exchange.xforce.ibmcloud.com/vulnerabilities/99993
- https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3@%3Ccommits.santuario.apache.org%3E
- https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd@%3Ccommits.santuario.apache.org%3E