apache xml-security-for-java CVE-2021-40690 vulnerability in Apache and Other Products
Published on September 19, 2021

Bypass of the secureValidation property

product logo product logo product logo
All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

Vendor Advisory NVD

Weakness Type

What is an Information Disclosure Vulnerability?

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CVE-2021-40690 has been classified to as an Information Disclosure vulnerability or weakness.


Products Associated with CVE-2021-40690

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2021-40690 are published in these products:

Apache Xml Security For Java
 
Apache Tomee
 
Debian Linux
 
Apache CXF
 
Oracle Flexcube Private Banking
 
Oracle Agile Plm
 
Oracle Weblogic Server
 
Oracle Peoplesoft Enterprise Peopletools
 
Oracle Outside In Technology
 
Oracle Retail Merchandising System
 
Oracle Retail Service Backbone
 
Oracle Retail Financial Integration
 
Oracle Retail Integration Bus
 
Oracle Communications Diameter Intelligence Hub
 
Oracle Communications Messaging Server
 
Oracle Retail Bulk Data Integration
 
Oracle Commerce Guided Search
 
Oracle Commerce Platform
 
Apache Santuario Xml Security Java
 

Affected Versions

Apache Software Foundation Apache Santuario:

Exploit Probability

EPSS
0.38%
Percentile
58.89%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.