CVE-2021-40690

Summary

CVE	CVE-2021-40690
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-09-19 18:15:00 UTC
Updated	2023-11-07 03:38:00 UTC
Description	All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

Risk And Classification

Problem Types: CWE-200

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Cxf	3.4.4	All	All	All
Application	Apache	Santuario Xml Security For Java	All	All	All	All
Application	Apache	Tomee	All	All	All	All
Application	Apache	Xml Security For Java	All	All	All	All
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	11.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Application	Oracle	Agile Plm	9.3.6	All	All	All
Application	Oracle	Commerce Guided Search	11.3.2	All	All	All
Application	Oracle	Commerce Platform	11.3.2	All	All	All
Application	Oracle	Communications Diameter Intelligence Hub	All	All	All	All
Application	Oracle	Communications Diameter Intelligence Hub	All	All	All	All
Application	Oracle	Communications Messaging Server	8.1	All	All	All
Application	Oracle	Flexcube Private Banking	12.1.0	All	All	All
Application	Oracle	Outside In Technology	8.5.5	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.58	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.59	All	All	All
Application	Oracle	Retail Bulk Data Integration	16.0.3	All	All	All
Application	Oracle	Retail Financial Integration	14.1.3.2	All	All	All
Application	Oracle	Retail Financial Integration	15.0.3.1	All	All	All
Application	Oracle	Retail Financial Integration	16.0.3	All	All	All
Application	Oracle	Retail Financial Integration	19.0.1	All	All	All
Application	Oracle	Retail Integration Bus	14.1.3.2	All	All	All
Application	Oracle	Retail Integration Bus	15.0.3.1	All	All	All
Application	Oracle	Retail Integration Bus	16.0.3	All	All	All
Application	Oracle	Retail Integration Bus	19.0.1	All	All	All
Application	Oracle	Retail Merchandising System	16.0.3	All	All	All
Application	Oracle	Retail Merchandising System	19.0.1	All	All	All
Application	Oracle	Retail Service Backbone	14.1.3.2	All	All	All
Application	Oracle	Retail Service Backbone	15.0.3.1	All	All	All
Application	Oracle	Retail Service Backbone	16.0.3	All	All	All
Application	Oracle	Retail Service Backbone	19.0.1	All	All	All
Application	Oracle	Weblogic Server	12.2.1.4.0	All	All	All
Application	Oracle	Weblogic Server	14.1.1.0.0	All	All	All

References

Reference	Source	Link	Tags
[tomee-commits] 20210923 [jira] [Assigned] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability		lists.apache.org
CVE-2021-40690 Apache XML Security for Java Vulnerability in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
Pony Mail!	MLIST	lists.apache.org
[tomee-commits] 20211028 [jira] [Updated] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability		lists.apache.org
Debian -- Security Information -- DSA-5010-1 libxml-security-java	DEBIAN	www.debian.org
Oracle Critical Patch Update Advisory - April 2022	MISC	www.oracle.com
[poi-user] 20210923 Re: CVE-2021-40690 on xmlsec jar		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[SECURITY] [DLA 2767-1] libxml-security-java security update	MLIST	lists.debian.org
[tomee-commits] 20210922 [tomee] 02/02: Update xmlsec to 2.2.3 to mitigate CVE-2021-40690		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MISC	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[tomee-commits] 20210923 [jira] [Updated] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability		lists.apache.org
[tomee-commits] 20210923 [jira] [Resolved] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[tomee-commits] 20210923 [jira] [Created] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[cxf-issues] 20211027 [jira] [Created] (CXF-8613) High Security issues reported with Apache Santuario library bundled in CXF 3.4.4		lists.apache.org
Oracle Critical Patch Update Advisory - July 2022	N/A	www.oracle.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: An Trinh, Calif.

Legacy QID Mappings

178811 Debian Security Update for libxml-security-java (DLA 2767-1)
178899 Debian Security Update for libxml-security-java (DSA 5010-1)
182723 Debian Security Update for libxml-security-java (CVE-2021-40690)
198870 Ubuntu Security Notification for Apache Extensible Markup Language (XML) Security for Java Vulnerability (USN-5525-1)
239965 Red Hat Update for JBoss Enterprise Application Platform 7.3.10 on RHEL 7 (RHSA-2021:5150)
239966 Red Hat Update for JBoss Enterprise Application Platform 7.3.10 on RHEL 8 (RHSA-2021:5151)
239967 Red Hat Update for JBoss Enterprise Application Platform 7.3.10 on RHEL 6 (RHSA-2021:5149)
376547 Oracle PeopleSoft Enterprise PeopleTools Product Multiple Vulnerabilities (CPUAPR2022)
730577 Atlassian Jira Server and Data Center Extensible Markup Language (XML) Security Vulnerability (JRASERVER-73580)
730639 Atlassian Jira Server and Data Center Abuse XPath Transform Vulnerability (JRASERVER-74420)
87496 Oracle WebLogic Server Multiple Vulnerabilities (CPUJUL2022)
980105 Java (maven) Security Update for org.apache.santuario:xmlsec (GHSA-j8wc-gxx9-82hx)