SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Apache Santuario Vendors:   Apache Software Foundation
Apache Santuario Streaming XML Signature Bug Lets Remote Users Bypass Signature Verification
SecurityTracker Alert ID:  1031556
SecurityTracker URL:  http://securitytracker.com/id/1031556
CVE Reference:   CVE-2014-8152   (Links to External Site)
Date:  Jan 20 2015
Impact:   Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.0.x prior to 2.0.3
Description:   A vulnerability was reported in Apache Santuario. A remote user can bypass signature verification.

A remote user can modify an XML document so that the streaming XML Signature verification code will not detect the modification and will verify the document.

Only the streaming XML Signature implementation is affected. The DOM API implementation is not affected. The the JSR-105 API is not affected.

Jaime Pallares Rel, Software Development Director at Logalty, reported this vulnerability.

Impact:   A remote user can bypass signature verification.
Solution:   The vendor has issued a fix (2.0.3).

The vendor's advisory is available at:

http://santuario.apache.org/secadv.data/CVE-2014-8152.txt.asc

Vendor URL:  santuario.apache.org/secadv.data/CVE-2014-8152.txt.asc (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC