Apache Santuario XML Security for C++ DoS & hash length bypass

2013.06.18
Credit: James Forshaw
Risk: High
Local: No
Remote: Yes
CVE: CVE-2013-2155
CWE: CWE-20


CVSS Base Score: 5.8/10
Impact Subscore: 4.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: Partial

CVE-2013-2155: Apache Santuario XML Security for C++ contains denial of service and hash length bypass issues while processing HMAC signatures Severity: Critical Vendor: The Apache Software Foundation Versions Affected: Apache Santuario XML Security for C++ library versions prior to V1.7.1 Description: A bug exists in the processing of the output length of an HMAC-based XML Signature that would cause a denial of service when processing specially chosen input. Exploitation of this issue does not require authenticated content. In very unusual cases, inputs could be chosen in such a way that the fix for the issue in CVE-2009-0217 could be bypassed, enabling improper verification of a signature. Mitigation: Applications that support HMAC signatures and are using library versions older than V1.7.1 should upgrade as soon as possible. Distributors of older versions should apply the patches from this subversion revision: http://svn.apache.org/viewvc?view=revision&revision=1493960 Credit: This issue was reported by James Forshaw, Context Information Security References: http://santuario.apache.org/

References:

http://svn.apache.org/viewvc?view=revision&revision=1493960


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top