CVE-2024-34580

Name of the Vulnerable Software and Affected Versions Apache XML Security for C++ versions 2.0.4 and earlier

Description The issue is related to the implementation of the XML Signature Syntax and Processing (XMLDsig) specification, which lacks protection against an SSRF payload in a KeyInfo element. It is noted that the project disputes this issue, stating that any vulnerabilities are the result of a failure to configure XML Security for C++ securely. The library's use requires considerable additional code and a deep understanding of the standards and protocols involved to arrive at a secure implementation for any particular use case.

Recommendations For Apache XML Security for C++ versions 2.0.4 and earlier, consider avoiding direct use of this library due to the complexity and security concerns associated with its implementation. As a temporary workaround, consider restricting the use of the KeyInfo element to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.