An issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element. External Reference: https://lists.debian.org/debian-lts-announce/2021/09/msg00015.html
Created xml-security tracking bugs for this issue: Affects: epel-7 [bug 2011192] Created xml-security-c tracking bugs for this issue: Affects: fedora-all [bug 2011191]
Marking this flaw as having a Moderate impact (was Important) as per Red Hat security ratings - "This rating is given to flaws that may be more difficult to exploit but could still lead to some compromise of the confidentiality, integrity or availability of resources under certain circumstances. These are the types of vulnerabilities that could have had a Critical or Important impact but are less easily exploited based on a technical evaluation of the flaw, and/or affect unlikely configurations." This is based on the flaw requiring some prerequisites which we think are unlikely to occur in applications using Santuario, namely that unprivileged users would be able to manipulate XML to inject the retrievalMethod element and that XPath transformations also be under the attackers control.
Is it any patch for that issue? If not I don;t see what more ATM I can do ..
@Tomasz thanks for your enquiry, the likely fixing commit (https://github.com/apache/santuario-xml-security-java/pull/51/commits/5bcbf7d4c5ef36f09543b05294e9497bae0f95f6) is specific to the java implementation so i do not believe this affects xml-security-c
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 * Red Hat JBoss Fuse Service Works 6 * Red Hat JBoss Data Virtualization 6 * Red Hat JBoss Operations Network 3 * Red Hat JBoss SOA Platform 5 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Via RHSA-2021:5150 https://access.redhat.com/errata/RHSA-2021:5150
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2021:5151 https://access.redhat.com/errata/RHSA-2021:5151
This issue has been addressed in the following products: EAP 7.3.10 GA Via RHSA-2021:5154 https://access.redhat.com/errata/RHSA-2021:5154
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Via RHSA-2021:5149 https://access.redhat.com/errata/RHSA-2021:5149
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-40690
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4.10 Via RHSA-2021:5170 https://access.redhat.com/errata/RHSA-2021:5170
This issue has been addressed in the following products: Red Hat EAP-XP 2 via EAP 7.3.x base Via RHSA-2022:0146 https://access.redhat.com/errata/RHSA-2022:0146
This issue has been addressed in the following products: Red Hat Single Sign-On 7.5 for RHEL 8 Via RHSA-2022:0152 https://access.redhat.com/errata/RHSA-2022:0152
This issue has been addressed in the following products: Red Hat Single Sign-On 7.5 for RHEL 7 Via RHSA-2022:0151 https://access.redhat.com/errata/RHSA-2022:0151
This issue has been addressed in the following products: RHSSO 7.5.1 Via RHSA-2022:0155 https://access.redhat.com/errata/RHSA-2022:0155
This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2022:0164 https://access.redhat.com/errata/RHSA-2022:0164
This issue has been addressed in the following products: RHINT Service Registry 2.0.3 GA Via RHSA-2022:0501 https://access.redhat.com/errata/RHSA-2022:0501
This issue has been addressed in the following products: RHINT Camel-Q 2.2.1 Via RHSA-2022:1013 https://access.redhat.com/errata/RHSA-2022:1013
This issue has been addressed in the following products: Red Hat Fuse 7.11 Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532
This issue has been addressed in the following products: RHAF Camel-K 1.8 Via RHSA-2022:6407 https://access.redhat.com/errata/RHSA-2022:6407