CVE-2021-40690
Published on: 09/19/2021 12:00:00 AM UTC
Last Modified on: 10/05/2022 02:06:00 AM UTC
Certain versions of Cxf from Apache contain the following vulnerability:
All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.
- CVE-2021-40690 has been assigned by
[email protected] to track the vulnerability - currently rated as HIGH severity.
- Affected Vendor/Software:
Apache Software Foundation - Apache Santuario version < 2.2.3,2.1.7
CVSS3 Score: 7.5 - HIGH
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
---|---|---|---|
NETWORK | LOW | NONE | NONE |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
UNCHANGED | HIGH | NONE | NONE |
CVSS2 Score: 5 - MEDIUM
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | LOW | NONE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
PARTIAL | NONE | NONE |
CVE References
Related QID Numbers
- 178811 Debian Security Update for libxml-security-java (DLA 2767-1)
- 178899 Debian Security Update for libxml-security-java (DSA 5010-1)
- 198870 Ubuntu Security Notification for Apache Extensible Markup Language (XML) Security for Java Vulnerability (USN-5525-1)
- 239965 Red Hat Update for JBoss Enterprise Application Platform 7.3.10 on RHEL 7 (RHSA-2021:5150)
- 239966 Red Hat Update for JBoss Enterprise Application Platform 7.3.10 on RHEL 8 (RHSA-2021:5151)
- 239967 Red Hat Update for JBoss Enterprise Application Platform 7.3.10 on RHEL 6 (RHSA-2021:5149)
- 376547 Oracle PeopleSoft Enterprise PeopleTools Product Multiple Vulnerabilities (CPUAPR2022)
- 730577 Atlassian Jira Server and Data Center Extensible Markup Language (XML) Security Vulnerability (JRASERVER-73580)
- 730639 Atlassian Jira Server and Data Center Abuse XPath Transform Vulnerability (JRASERVER-74420)
- 87496 Oracle WebLogic Server Multiple Vulnerabilities (CPUJUL2022)
- 980105 Java (maven) Security Update for org.apache.santuario:xmlsec (GHSA-j8wc-gxx9-82hx)
Exploit/POC from Github
PoC for exploiting CVE-2021-40690 : All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7…
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Application | Apache | Cxf | 3.4.4 | All | All | All |
Application | Apache | Tomee | All | All | All | All |
Application | Apache | Xml Security For Java | All | All | All | All |
Operating System | Debian | Debian Linux | 10.0 | All | All | All |
Operating System | Debian | Debian Linux | 11.0 | All | All | All |
Operating System | Debian | Debian Linux | 9.0 | All | All | All |
Application | Oracle | Agile Plm | 9.3.6 | All | All | All |
Application | Oracle | Commerce Guided Search | 11.3.2 | All | All | All |
Application | Oracle | Commerce Platform | 11.3.2 | All | All | All |
Application | Oracle | Communications Diameter Intelligence Hub | All | All | All | All |
Application | Oracle | Communications Diameter Intelligence Hub | All | All | All | All |
Application | Oracle | Communications Messaging Server | 8.1 | All | All | All |
Application | Oracle | Flexcube Private Banking | 12.1.0 | All | All | All |
Application | Oracle | Outside In Technology | 8.5.5 | All | All | All |
Application | Oracle | Peoplesoft Enterprise Peopletools | 8.58 | All | All | All |
Application | Oracle | Peoplesoft Enterprise Peopletools | 8.59 | All | All | All |
Application | Oracle | Retail Bulk Data Integration | 16.0.3 | All | All | All |
Application | Oracle | Retail Financial Integration | 14.1.3.2 | All | All | All |
Application | Oracle | Retail Financial Integration | 15.0.3.1 | All | All | All |
Application | Oracle | Retail Financial Integration | 16.0.3 | All | All | All |
Application | Oracle | Retail Financial Integration | 19.0.1 | All | All | All |
Application | Oracle | Retail Integration Bus | 14.1.3.2 | All | All | All |
Application | Oracle | Retail Integration Bus | 15.0.3.1 | All | All | All |
Application | Oracle | Retail Integration Bus | 16.0.3 | All | All | All |
Application | Oracle | Retail Integration Bus | 19.0.1 | All | All | All |
Application | Oracle | Retail Merchandising System | 16.0.3 | All | All | All |
Application | Oracle | Retail Merchandising System | 19.0.1 | All | All | All |
Application | Oracle | Retail Service Backbone | 14.1.3.2 | All | All | All |
Application | Oracle | Retail Service Backbone | 15.0.3.1 | All | All | All |
Application | Oracle | Retail Service Backbone | 16.0.3 | All | All | All |
Application | Oracle | Retail Service Backbone | 19.0.1 | All | All | All |
Application | Oracle | Weblogic Server | 12.2.1.4.0 | All | All | All |
Application | Oracle | Weblogic Server | 14.1.1.0.0 | All | All | All |
- cpe:2.3:a:apache:cxf:3.4.4:*:*:*:*:*:*:*:
- cpe:2.3:a:apache:tomee:*:*:*:*:*:*:*:*:
- cpe:2.3:a:apache:xml_security_for_java:*:*:*:*:*:*:*:*:
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*:
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*:
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:commerce_platform:11.3.2:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:communications_diameter_intelligence_hub:*:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:communications_diameter_intelligence_hub:*:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:outside_in_technology:8.5.5:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:retail_bulk_data_integration:16.0.3:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:retail_financial_integration:14.1.3.2:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:retail_financial_integration:15.0.3.1:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:retail_financial_integration:16.0.3:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:retail_financial_integration:19.0.1:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:retail_integration_bus:14.1.3.2:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:retail_integration_bus:15.0.3.1:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:retail_integration_bus:16.0.3:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:retail_integration_bus:19.0.1:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:retail_merchandising_system:19.0.1:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:retail_service_backbone:14.1.3.2:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:retail_service_backbone:15.0.3.1:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:retail_service_backbone:16.0.3:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:retail_service_backbone:19.0.1:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*:
Discovery Credit
An Trinh, Calif.
Social Mentions
Source | Title | Posted (UTC) |
---|---|---|
![]() |
CVE-2021-40690: Apache Santuario: Bypass of the secureValidation property: Posted by Colm O hEigeartaigh on Sep 17D… twitter.com/i/web/status/1… | 2021-09-17 13:14:02 |
![]() |
CVE-2021-40690 : All versions of #Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable… twitter.com/i/web/status/1… | 2021-09-19 17:27:43 |
![]() |
CVE-2021-40690 dlvr.it/S7tQ8W | 2021-09-19 22:53:01 |