CVE-2013-2172

Name of the Vulnerable Software and Affected Versions Apache Santuario XML Security for Java versions 1.4.x through 1.4.7 Apache Santuario XML Security for Java versions 1.5.x through 1.5.4

Description The issue allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak canonicalization algorithm to apply to the SignedInfo part of the Signature. This is related to errors in data encryption. Exploitation of the issue may allow a remote attacker to substitute an XML signature.

Recommendations For Apache Santuario XML Security for Java versions 1.4.x through 1.4.7, update to version 1.4.8 or later. For Apache Santuario XML Security for Java versions 1.5.x through 1.5.4, update to version 1.5.5 or later. As a temporary workaround, consider restricting the use of the CanonicalizationMethod parameter to minimize the risk of exploitation.