The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Apache Santuario XML Security for C++

vulnerability note 27874

Apache XML Security for C++: denial of service via DSA Key KeyInfo Combinations

Synthesis of the vulnerability

An attacker can generate a fatal error via DSA Key KeyInfo Combinations of Apache XML Security for C++, in order to trigger a denial of service.
Impacted products: Apache XML Security for C++, Debian, Fedora.
Severity: 2/4.
Consequences: denial of service on service, denial of service on client.
Provenance: document.
Creation date: 26/11/2018.
Identifiers: DLA-1594-1, FEDORA-2018-a0d02065d0, VIGILANCE-VUL-27874.

Description of the vulnerability

An attacker can generate a fatal error via DSA Key KeyInfo Combinations of Apache XML Security for C++, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce 26907

Apache XML Security for C++: NULL pointer dereference via KeyInfo

Synthesis of the vulnerability

An attacker can force a NULL pointer to be dereferenced via KeyInfo of Apache XML Security for C++, in order to trigger a denial of service.
Impacted products: Apache XML Security for C++, Debian, Shibboleth SP.
Severity: 2/4.
Consequences: denial of service on service, denial of service on client.
Provenance: document.
Creation date: 06/08/2018.
Identifiers: DLA-1458-1, DSA-4265-1, SANTUARIO-491, VIGILANCE-VUL-26907.

Description of the vulnerability

An attacker can force a NULL pointer to be dereferenced via KeyInfo of Apache XML Security for C++, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2011-2516

Apache Santuario XML Security: buffer overflow via large keys

Synthesis of the vulnerability

An attacker can use a large RSA key, in order to create a buffer overflow in C++ applications linked to Apache Santuario XML Security.
Impacted products: Apache XML Security for C++, Debian, Fedora.
Severity: 3/4.
Consequences: user access/rights, denial of service on service.
Provenance: document.
Creation date: 11/07/2011.
Identifiers: BID-48611, CERTA-2003-AVI-004, CVE-2011-2516, DSA-2277-1, FEDORA-2011-9494, FEDORA-2011-9501, VIGILANCE-VUL-10824.

Description of the vulnerability

The W3C XMLDsig (XML Signature Syntax and Processing) recommendation indicates how to sign XML documents. The Apache Santuario XML Security library implements XMLDsig for programs written in C++ language.

The DSIGAlgorithmHandlerDefault::signToSafeBuffer() and OpenSSLCryptoKeyRSA::verifySHA1PKCS1Base64Signature() methods sign and check the signature. However, these functions use a fixed size array of 1024 bytes (8192 bit).

An attacker can therefore use a large RSA key, in order to create a buffer overflow in C++ applications linked to Apache Santuario XML Security. For example, if the application checks signatures with a key larger than 8192 bit, the attacker can stop it or execute code.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Apache Santuario XML Security for C++: