CVE-2013-2172
libxml-security-java - security update
EPSS 3.6%
Description
jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."
How to fix CVE-2013-2172
To remediate CVE-2013-2172, upgrade the affected package to a fixed version below.
- Debian/libxml-security-java—upgrade to 1.5.5-2 or later
- Debian/libxml-security-java—upgrade to 1.4.3-2+deb6u1 or later
- —upgrade to 1.4.5-1+deb7u1 or later
- —upgrade to 1.4.8 or later
Is CVE-2013-2172 being exploited?
Low — EPSS is 3.6%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 1.5.5-2
- from 0, < 1.4.3-2+deb6u1
- from 0, < 1.4.5-1+deb7u1
- >= 1.4.0, < 1.4.8