Описание
All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.
Отчет
Since OpenShift Container Platform (OCP) 4.7, the logging-elasticsearch6-container is shipping as a part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8). The elasticsearch component delivered in OCP 4.6 is marked as Out of support scope because these versions are already under Maintenance Phase of the support.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch6-rhel8 | Will not fix | ||
| Red Hat Ansible Automation Platform 1.2 | xmlsec | Not affected | ||
| Red Hat Ansible Tower 3 | xmlsec | Not affected | ||
| Red Hat Integration Service Registry | xmlsec | Affected | ||
| Red Hat JBoss Data Virtualization 6 | xmlsec | Out of support scope | ||
| Red Hat JBoss Fuse 6 | xmlsec | Out of support scope | ||
| Red Hat JBoss Fuse Service Works 6 | xmlsec | Out of support scope | ||
| Red Hat JBoss Operations Network 3 | xmlsec | Out of support scope | ||
| Red Hat JBoss SOA Platform 5 | xml-security | Out of support scope | ||
| Red Hat OpenShift Container Platform 3.11 | openshift3/ose-logging-elasticsearch5 | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.
All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.
All versions of Apache Santuario - XML Security for Java prior to 2.2. ...
Exposure of Sensitive Information to an Unauthorized Actor in Apache Santuario
Уязвимость платформы для обеспечения безопасности XML-данных в приложениях на языке Java XML Apache Santuario XML Security for Java, связанная с ошибками при передачи свойства "secureValidation" при создании объекта KeyInfo из элемента KeyInfoReference, позволяющая нарушителю получить доступ к произвольным файлам с расширением .xml
EPSS
7.5 High
CVSS3