CVE-2013-2153: Apache Santuario XML Security for C++ contains an XML Signature Bypass issue Severity: Critical Vendor: The Apache Software Foundation Versions Affected: Apache Santuario XML Security for C++ library versions prior to V1.7.1 Description: The implementation of XML digital signatures in the Santuario-C++ library is vulnerable to a spoofing issue allowing an attacker to reuse existing signatures with arbitrary content. The vulnerability affects only applications that do not perform proper checking/analysis of the content of the Reference elements in the Signature, but the bug exacerbates this problem by opening such applications to attacks using arbitrary content, instead of just attacks involving malicious, but signed, content. Mitigation: Applications using library versions older than V1.7.1 should upgrade as soon as possible. Distributors of older versions should apply the patches from this subversion revision: http://svn.apache.org/viewvc?view=revision&revision=r1493959 Applications that appropriately examine the content of the signatures they accept are immune to this issue. The only API provided for this purpose in the library is to examine the individual Reference elements to enforce limitations over their content, and doing so will prevent this vulnerability. Developers with questions about this should inquire on the Santuario project's mailing list. Credit: This issue was reported by James Forshaw, Context Information Security