CVE-2021-40690

CVSS v3.1 7.5 (High)

CVSS v2.0 5 (Medium)

EPSS 0.11 % (44^th)

Affected Products 18

Advisories 3

All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

Weaknesses

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CVE Status: PUBLISHED
CNA: Apache Software Foundation
Published Date: 2021-09-19 18:15:07
(3 years ago)
Updated Date: 2023-11-07 03:38:37
(10 months ago)

Affected Products

Apache

Debian

Debian Linux

Oracle

Configuration #1

		CPE23	From	Up To
	Apache Santuario Xml Security for Java prior 2.1.7 version	cpe:2.3:a:apache:santuario_xml_security_for_java		< 2.1.7
	Apache Santuario Xml Security for Java from 2.2.0 version and prior 2.2.3 version	cpe:2.3:a:apache:santuario_xml_security_for_java	>= 2.2.0	< 2.2.3

Configuration #2

		CPE23	From	Up To
	Apache Cxf 3.4.4	cpe:2.3:a:apache:cxf:3.4.4
	Apache Tomee prior 8.0.8 version	cpe:2.3:a:apache:tomee		< 8.0.8

Configuration #3

		CPE23	From	Up To
	Debian Linux 9.0	cpe:2.3:o:debian:debian_linux:9.0
	Debian Linux 10.0	cpe:2.3:o:debian:debian_linux:10.0
	Debian Linux 11.0	cpe:2.3:o:debian:debian_linux:11.0

Configuration #4

	CPE23	From	Up To
Oracle Agile Plm 9.3.6	cpe:2.3:a:oracle:agile_plm:9.3.6
Oracle Commerce Guided Search 11.3.2	cpe:2.3:a:oracle:commerce_guided_search:11.3.2
Oracle Commerce Platform 11.3.2	cpe:2.3:a:oracle:commerce_platform:11.3.2
Oracle Communications Diameter Intelligence Hub from 8.0.0 version and 8.1.0 and prior versions	cpe:2.3:a:oracle:communications_diameter_intelligence_hub	>= 8.0.0	<= 8.1.0
Oracle Communications Diameter Intelligence Hub from 8.2.0 version and 8.2.3 and prior versions	cpe:2.3:a:oracle:communications_diameter_intelligence_hub	>= 8.2.0	<= 8.2.3
Oracle Communications Messaging Server 8.1	cpe:2.3:a:oracle:communications_messaging_server:8.1
Oracle Flexcube Private Banking 12.1.0	cpe:2.3:a:oracle:flexcube_private_banking:12.1.0
Oracle Outside In Technology 8.5.5	cpe:2.3:a:oracle:outside_in_technology:8.5.5
Oracle Peoplesoft Enterprise Peopletools 8.58	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58
Oracle Peoplesoft Enterprise Peopletools 8.59	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59
Oracle Retail Bulk Data Integration 16.0.3	cpe:2.3:a:oracle:retail_bulk_data_integration:16.0.3
Oracle Retail Financial Integration 14.1.3.2	cpe:2.3:a:oracle:retail_financial_integration:14.1.3.2
Oracle Retail Financial Integration 15.0.3.1	cpe:2.3:a:oracle:retail_financial_integration:15.0.3.1
Oracle Retail Financial Integration 16.0.3	cpe:2.3:a:oracle:retail_financial_integration:16.0.3
Oracle Retail Financial Integration 19.0.1	cpe:2.3:a:oracle:retail_financial_integration:19.0.1
Oracle Retail Integration Bus 14.1.3.2	cpe:2.3:a:oracle:retail_integration_bus:14.1.3.2
Oracle Retail Integration Bus 15.0.3.1	cpe:2.3:a:oracle:retail_integration_bus:15.0.3.1
Oracle Retail Integration Bus 16.0.3	cpe:2.3:a:oracle:retail_integration_bus:16.0.3
Oracle Retail Integration Bus 19.0.1	cpe:2.3:a:oracle:retail_integration_bus:19.0.1
Oracle Retail Merchandising System 16.0.3	cpe:2.3:a:oracle:retail_merchandising_system:16.0.3
Oracle Retail Merchandising System 19.0.1	cpe:2.3:a:oracle:retail_merchandising_system:19.0.1
Oracle Retail Service Backbone 14.1.3.2	cpe:2.3:a:oracle:retail_service_backbone:14.1.3.2
Oracle Retail Service Backbone 15.0.3.1	cpe:2.3:a:oracle:retail_service_backbone:15.0.3.1
Oracle Retail Service Backbone 16.0.3	cpe:2.3:a:oracle:retail_service_backbone:16.0.3
Oracle Retail Service Backbone 19.0.1	cpe:2.3:a:oracle:retail_service_backbone:19.0.1
Oracle Weblogic Server 12.2.1.4.0	cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0
Oracle Weblogic Server 14.1.1.0.0	cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0