5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
43.9%
All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and
2.1.7 are vulnerable to an issue where the βsecureValidationβ property is
not passed correctly when creating a KeyInfo from a KeyInfoReference
element. This allows an attacker to abuse an XPath Transform to extract any
local .xml files in a RetrievalMethod element.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | libxml-security-java | <Β 2.0.10-2~18.04.1 | UNKNOWN |
ubuntu | 20.04 | noarch | libxml-security-java | <Β 2.0.10-2+deb11u1build0.20.04.1 | UNKNOWN |
ubuntu | 16.04 | noarch | libxml-security-java | <Β any | UNKNOWN |
launchpad.net/bugs/cve/CVE-2021-40690
lists.apache.org/thread.html/r8848751b6a5dd78cc9e99d627e74fecfaffdfa1bb615dce827aad633%40%3Cdev.santuario.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2021-40690
santuario.apache.org/secadv.data/CVE-2021-40690.txt.asc
security-tracker.debian.org/tracker/CVE-2021-40690
ubuntu.com/security/notices/USN-5525-1
www.cve.org/CVERecord?id=CVE-2021-40690
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
43.9%