Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.1 does not properly validate length values, which allows remote attackers to cause a denial of service or bypass the CVE-2009-0217 protection mechanism and spoof a signature via crafted length values to the (1) compareBase64StringToRaw, (2) DSIGAlgorithmHandlerDefault, or (3) DSIGAlgorithmHandlerDefault::verify functions.

References

archives.neohapsis.com/archives/fulldisclosure/2013-06/0142.html

santuario.apache.org/secadv.data/CVE-2013-2155.txt

svn.apache.org/viewvc/santuario/xml-security-cpp/trunk/xsec/dsig/DSIGAlgorithmHandlerDefault.cpp?r1=1125752&r2=1493960&pathrev=1493960&diff_format=h

www.debian.org/security/2013/dsa-2710

lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E

lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E

www.tenable.com/security/tns-2018-15

cve 2

debiancve 2

nvd 2

securityvulns 7

prion 2

ubuntucve 2

freebsd 2

nessus 67

openvas 69

debian 9

centos 2

oraclelinux 2

fedora 6

mskb 1

osv 3

cert 1

checkpoint_advisories 2

cvelist 1

github 1

veracode 1

redhat 4

ubuntu 3

ibm 2

mageia 1

suse 3

threatpost 1

gentoo 1

cve

CVE-2013-2155

2013-08-20 22:55:03

CVE-2009-0217

2009-07-14 23:30:00

debiancve

CVE-2013-2155

2013-08-20 22:55:03

CVE-2009-0217

2009-07-14 23:30:00

nvd

CVE-2013-2155

2013-08-20 22:55:03

CVE-2009-0217

2009-07-14 23:30:00

securityvulns

CVE-2013-2155: Apache Santuario C++ denial of service vulnerability

2013-07-01 00:00:00

Microsoft .Net XML signing protection bypass

2010-06-09 00:00:00

Microsoft Security Bulletin MS10-041 - Important Vulnerability in Microsoft .NET Framework Could Allow Tampering (981343)

2010-06-09 00:00:00

prion

Design/Logic Flaw

2013-08-20 22:55:00

Authentication flaw

2009-07-14 23:30:00

ubuntucve

CVE-2013-2155

2013-08-20 00:00:00

CVE-2009-0217

2009-07-14 00:00:00

freebsd

mono -- XML signature HMAC truncation spoofing

2009-07-15 00:00:00

openoffice.org -- multiple vulnerabilities

2006-08-24 00:00:00

nessus

Solaris 10 (sparc) : 141709-03 (deprecated)

2009-06-03 00:00:00

Fedora 10 : xmlsec1-1.2.12-1.fc10 (2009-8456)

2009-08-12 00:00:00

Fedora 11 : xml-security-c-1.5.1-1.fc11 (2009-8157)

2009-08-01 00:00:00

openvas

Fedora Core 10 FEDORA-2009-8456 (xmlsec1)

2009-08-17 00:00:00

CentOS Update for xmlsec1 CESA-2009:1428 centos4 i386

2011-08-09 00:00:00

CentOS Update for xmlsec1 CESA-2009:1428 centos5 i386

2011-08-09 00:00:00

debian

[Backports-security-announce] Security Update for xml-security-c

2009-08-06 08:38:10

[SECURITY] [DSA 1849-1] New xml-security-c packages fix signature forgery

2009-08-02 13:48:02

[Backports-security-announce] Security Update for xml-security-c

2009-08-06 08:37:46

centos

xmlsec1 security update

2009-09-09 00:48:06

java security update

2009-08-09 04:11:10

oraclelinux

xmlsec1 security update

2009-09-09 00:00:00

java-1.6.0-openjdk security and bug fix update

2009-08-06 00:00:00

fedora

[SECURITY] Fedora 10 Update: xml-security-c-1.5.1-1.fc10

2009-07-31 17:59:26

[SECURITY] Fedora 11 Update: xmlsec1-1.2.12-1.fc11

2009-08-11 22:33:07

[SECURITY] Fedora 11 Update: xml-security-c-1.5.1-1.fc11

2009-07-31 18:04:52

mskb

MS10-041: Vulnerabilities in the Microsoft .NET Framework that could allow tampering

2012-05-08 22:34:55

osv

Apache XML Security For Java vulnerable to authentication bypass by HMAC truncation

2022-05-02 03:13:38

xml-security-c - several

2013-06-18 00:00:00

openoffice.org - several

2010-02-12 00:00:00

cert

XML signature HMAC truncation authentication bypass

2009-07-14 00:00:00

checkpoint_advisories

Microsoft XML Signature HMAC Truncation Bypass (MS10-041) - Ver2 (CVE-2009-0217)

2015-03-26 00:00:00

Microsoft XML Signature HMAC Truncation Bypass (MS10-041; CVE-2009-0217)

2010-06-08 00:00:00

cvelist

CVE-2009-0217

2009-07-14 23:00:00

github

Apache XML Security For Java vulnerable to authentication bypass by HMAC truncation

2022-05-02 03:13:38

veracode

Authentication Bypass

2020-04-10 00:35:27

redhat

(RHSA-2009:1428) Moderate: xmlsec1 security update

2009-09-08 00:00:00

(RHSA-2009:1649) Moderate: JBoss Enterprise Application Platform 4.3.0.CP07 update

2009-12-09 00:00:00

(RHSA-2009:1201) Important: java-1.6.0-openjdk security and bug fix update

2009-08-06 00:00:00

ubuntu

Mono vulnerabilities

2009-08-26 00:00:00

OpenOffice.org vulnerabilities

2010-02-24 00:00:00

OpenJDK vulnerabilities

2009-08-11 00:00:00

ibm

Security Bulletin: Multiple vulnerabilities in Apache Santuario XML Security for Java affect IBM InfoSphere Information Server

2022-10-14 22:24:44

Security Bulletin: A vulnerability in Apache XML Security for Java affects IBM Tivoli Business Service Manager (CVE-2013-4517, CVE-2013-2172, CVE-2009-0217, CVE-2021-40690)

2022-10-06 04:39:35

mageia

Updated xml-security-c package fixes multiple security vulnerabilities

2013-07-01 23:12:07

suse

remote code execution in OpenOffice_org

2010-03-16 16:11:32

remote code execution in java-1_6_0-ibm

2009-11-04 15:26:34

remote code execution in java-1_6_0-ibm

2010-01-12 17:47:21

threatpost

OpenOffice Zaps Six Security Bugs

2010-02-18 15:09:26

gentoo

Mono: Multiple vulnerabilities

2012-06-21 00:00:00

Solutions

Vulnerabilities intelligence
Perimeter control tool
Linux scanner
Windows scanner
Developers SDK
Security Intelligence feeds

Database

Vulnerabilities
Exploits
Security News
BugBounty
Wild Exploited
Top Vulnerabilities
CVE Feed

Resources

Statics & Sources
Plugins
API docs
FAQ
Blog
Glossary

Company

About
Contacts
Pricing
EULA
Privacy Policy
Submission Policy
OpenSource

@2024 Vulners Inc

6.9 Medium

AI Score

Confidence

High

0.973 High

EPSS

Percentile

99.9%

JSON

Related for CVELIST:CVE-2013-2155