CVE-2021-40690
XML Security vulnerability in xmlsec (Maven)
What is CVE-2021-40690 About?
This vulnerability in Apache Santuario - XML Security for Java allows an attacker to extract local XML files. It is caused by improper handling of the "secureValidation" property during KeyInfo creation from a KeyInfoReference element. Exploitation is moderately complex as it requires crafting specific XML input.
Affected Software
- org.apache.santuario:xmlsec
- >2.2.0, <2.2.3
- <2.1.7
Technical Details
The vulnerability exists in Apache Santuario - XML Security for Java due to an incorrect propagation of the 'secureValidation' property when a KeyInfo object is instantiated from a KeyInfoReference element. Specifically, versions prior to 2.2.3 and 2.1.7 fail to properly pass this security-sensitive property. This flaw enables an attacker to craft a malicious KeyInfoReference element that leverages an XPath Transform. By doing so, the attacker can specify a RetrievalMethod element pointing to arbitrary local .xml files, which are then processed and extracted due to the disabled secure validation context. The attack vector involves supplying specially crafted XML input that includes a KeyInfoReference element with a carefully constructed XPath Transform and RetrievalMethod.
What is the Impact of CVE-2021-40690?
Successful exploitation may allow attackers to disclose sensitive local files, which could lead to further system compromise or information exposure.
What is the Exploitability of CVE-2021-40690?
Exploitation of this vulnerability requires a moderate level of complexity. An attacker needs to have the ability to submit specially crafted XML input to an application using Apache Santuario - XML Security for Java. There are no explicit authentication or privilege requirements mentioned, suggesting it could potentially be exploited by an unauthenticated attacker if the vulnerable component is publicly accessible or if the attacker can inject XML content. It is likely a remote exploit if the application processes external XML input. The primary constraint is the attacker's ability to control or inject XML data that directly interacts with the vulnerable KeyInfo processing logic. The likelihood of exploitation increases if untrusted XML input is processed without strict validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-40690?
Available Upgrade Options
- org.apache.santuario:xmlsec
- <2.1.7 → Upgrade to 2.1.7
- org.apache.santuario:xmlsec
- >2.2.0, <2.2.3 → Upgrade to 2.2.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2021/09/msg00015.html
- https://lists.apache.org/thread.html/r401ecb7274794f040cd757b259ebe3e8c463ae74f7961209ccad3c59@%3Cissues.cxf.apache.org%3E
- https://lists.apache.org/thread.html/r3b3f5ba9b0de8c9c125077b71af06026d344a709a8ba67db81ee9faa@%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r8848751b6a5dd78cc9e99d627e74fecfaffdfa1bb615dce827aad633%40%3Cdev.santuario.apache.org%3E
- https://lists.apache.org/thread.html/rbbbac0759b12472abd0c278d32b5e0867bb21934df8e14e5e641597c%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r8a5c0ce9014bd07303aec1e5eed55951704878016465d3dae00e0c28%40%3Ccommits.tomee.apache.org%3E
- https://www.debian.org/security/2021/dsa-5010
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.apache.org/thread.html/re294cfc61f509512874ea514d8d64fd276253d54ac378ffa7a4880c8%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r401ecb7274794f040cd757b259ebe3e8c463ae74f7961209ccad3c59%40%3Cissues.cxf.apache.org%3E
What are Similar Vulnerabilities to CVE-2021-40690?
Similar Vulnerabilities: CVE-2022-26134 , CVE-2021-28169 , CVE-2020-9489 , CVE-2022-22965 , CVE-2023-28437
