CVE-2013-4517 — Improper Input Validation in Apache Santuario XML Security

Description

Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures.

How to fix CVE-2013-4517

To remediate CVE-2013-4517, upgrade the affected package to a fixed version below.

Debian/libxml-security-java—upgrade to 1.5.6-1 or later
Maven/org.apache.santuario:xmlsec—upgrade to 1.5.6 or later

Is CVE-2013-4517 being exploited?

Moderate — EPSS is 8.4%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 1.5.6-1
from 0, < 1.5.6

References (21)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-4517
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-4517
WEBpacketstormsecurity.com/files/124554/Java-XML-Signature-Denial-Of-Service-Attack.html
WEBrhn.redhat.com/errata/RHSA-2014-0170.html