Apache XML Security for Java supports XML-Signature Syntax and Processing,
W3C Recommendation 12 February 2002, and XML Encryption Syntax and
Processing, W3C Recommendation 10 December 2002. As of version 1.4,
the library supports the standard Java API JSR-105: XML Digital Signature APIs.
Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures.
Direct dependency fix Resolution (org.keycloak:keycloak-saml-core): 1.9.1.Final
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2017-2646
### Vulnerable Library - keycloak-saml-core-1.8.1.Final.jar
It was found that when Keycloak before 2.5.5 receives a Logout request with a Extensions in the middle of the request, the SAMLSloRequestParser.parse() method ends in a infinite loop. An attacker could use this flaw to conduct denial of service attacks.
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2017-2582
### Vulnerable Library - keycloak-saml-core-1.8.1.Final.jar
It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response.
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2013-2172
### Vulnerable Library - xmlsec-1.5.1.jar
Apache XML Security for Java supports XML-Signature Syntax and Processing,
W3C Recommendation 12 February 2002, and XML Encryption Syntax and
Processing, W3C Recommendation 10 December 2002. As of version 1.4,
the library supports the standard Java API JSR-105: XML Digital Signature APIs.
jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."
Keycloak SSO
Library home page: http://keycloak.org
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/keycloak/keycloak-saml-core/1.8.1.Final/keycloak-saml-core-1.8.1.Final.jar
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2013-4517
### Vulnerable Library - xmlsec-1.5.1.jarApache XML Security for Java supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002, and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002. As of version 1.4, the library supports the standard Java API JSR-105: XML Digital Signature APIs.
Library home page: http://santuario.apache.org/
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/santuario/xmlsec/1.5.1/xmlsec-1.5.1.jar
Dependency Hierarchy: - keycloak-saml-core-1.8.1.Final.jar (Root Library) - :x: **xmlsec-1.5.1.jar** (Vulnerable Library)
Found in base branch: main
### Reachability Analysis This vulnerability is potentially reachable ``` com.veracode.verademo.controller.ToolsController (Application) -> org.apache.log4j.LogManager (Extension) -> org.apache.log4j.helpers.OptionConverter (Extension) -> org.apache.xml.security.utils.XMLUtils (Extension) ... -> org.apache.xml.security.Init (Extension) -> org.apache.xml.security.transforms.Transform (Extension) -> ❌ org.apache.xml.security.transforms.TransformSpi (Vulnerable Component) ``` ### Vulnerability DetailsApache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures.
Publish Date: 2014-01-11
URL: CVE-2013-4517
### CVSS 3 Score Details (3.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4517
Release Date: 2014-01-11
Fix Resolution (org.apache.santuario:xmlsec): 1.5.6
Direct dependency fix Resolution (org.keycloak:keycloak-saml-core): 1.9.1.Final
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2017-2646
### Vulnerable Library - keycloak-saml-core-1.8.1.Final.jarKeycloak SSO
Library home page: http://keycloak.org
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/keycloak/keycloak-saml-core/1.8.1.Final/keycloak-saml-core-1.8.1.Final.jar
Dependency Hierarchy: - :x: **keycloak-saml-core-1.8.1.Final.jar** (Vulnerable Library)
Found in base branch: main
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsIt was found that when Keycloak before 2.5.5 receives a Logout request with a Extensions in the middle of the request, the SAMLSloRequestParser.parse() method ends in a infinite loop. An attacker could use this flaw to conduct denial of service attacks.
Publish Date: 2018-07-27
URL: CVE-2017-2646
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-2646
Release Date: 2018-07-27
Fix Resolution: 2.5.5.Final
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2017-2582
### Vulnerable Library - keycloak-saml-core-1.8.1.Final.jarKeycloak SSO
Library home page: http://keycloak.org
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/keycloak/keycloak-saml-core/1.8.1.Final/keycloak-saml-core-1.8.1.Final.jar
Dependency Hierarchy: - :x: **keycloak-saml-core-1.8.1.Final.jar** (Vulnerable Library)
Found in base branch: main
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsIt was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response.
Publish Date: 2018-07-26
URL: CVE-2017-2582
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2582
Release Date: 2018-07-26
Fix Resolution: 2.5.1.Final
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2013-2172
### Vulnerable Library - xmlsec-1.5.1.jarApache XML Security for Java supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002, and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002. As of version 1.4, the library supports the standard Java API JSR-105: XML Digital Signature APIs.
Library home page: http://santuario.apache.org/
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/santuario/xmlsec/1.5.1/xmlsec-1.5.1.jar
Dependency Hierarchy: - keycloak-saml-core-1.8.1.Final.jar (Root Library) - :x: **xmlsec-1.5.1.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability Detailsjcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."
Publish Date: 2013-08-20
URL: CVE-2013-2172
### CVSS 3 Score Details (3.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2172
Release Date: 2013-08-20
Fix Resolution (org.apache.santuario:xmlsec): 1.5.5
Direct dependency fix Resolution (org.keycloak:keycloak-saml-core): 1.9.1.Final
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.