[
https://issues.apache.org/jira/browse/CXF-8613?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh resolved CXF-8613.
--------------------------------------
Resolution: Fixed
> High Security issues reported with Apache Santuario library bundled in CXF
> 3.4.4
> --------------------------------------------------------------------------------
>
> Key: CXF-8613
> URL: https://issues.apache.org/jira/browse/CXF-8613
> Project: CXF
> Issue Type: Bug
> Affects Versions: 3.4.4
> Reporter: WCM RnD
> Priority: Critical
> Fix For: 3.4.5
>
>
> High Security Vulnerability CVE-2021-40690 has been reported with the Apache
> Santuario 2.2.2 library being bundled within CXF 3.4.4.
> [https://nvd.nist.gov/vuln/detail/CVE-2021-40690]
> h2. CVE-2021-40690
> *Affected Component(s):* Apache Santuario (Java), OpenEJB
> *Vulnerability Published:* 2021-09-19 14:15 EDT
> *Vulnerability Updated:* 2021-10-01 12:08 EDT
> *CVSS Score:* {color:#FF0000}7.5{color} (overall), {color:#FF0000}7.5{color}
> (base)
> *Summary*: All versions of Apache Santuario - XML Security for Java prior to
> 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation"
> property is not passed correctly when creating a KeyInfo from a
> KeyInfoReference element. This allows an attacker to abuse an XPath Transform
> to extract any local .xml files in a RetrievalMethod element.
>
> *Fixed in Apache Santuario version 2.2.3.*
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
