CVE: 2013-2172 found in Apache XML Security for Java - Version: 1.5.1 [JAVA]

[github-actions[bot]]

Veracode Software Composition Analysis

Attribute	Details
Library	Apache XML Security for Java
Description	Apache XML Security for Java supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002, and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002. As of ver
Language	JAVA
Vulnerability	Spoofable XML Signature
Vulnerability description	jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak canonicalization algorithm to apply to the SignedInfo part of the Signature.
CVE	2013-2172
CVSS score	4.3
Vulnerability present in version/s	1.5.0-1.5.4
Found library version/s	1.5.1
Vulnerability fixed in version	1.5.5
Library latest version	3.0.1
Fix

Links:

• https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/117?version=1.5.1
• https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/831
• Patch: https://github.com/apache/santuario-java/commit/d0536272059bba735583809e2bfa5d249bb2e537

[github-actions[bot]]

Veracode issue link to PR: https://github.com/julz0815/test-action/pull/184