Severity
Medium
Analysis Summary
CVE-2021-40690
Apache Santuario XML Security for Java could allow a remote attacker to bypass security restrictions, caused by the improper passing of the “secureValidation” property when creating a KeyInfo from a KeyInfoReference element. An attacker could exploit this vulnerability to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.
CVE-2021-41303
Apache Shiro could allow a remote attacker to bypass security restrictions, caused by an error when using with Spring Boot. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process.
Impact
- Security Bypass
Affected Vendors
- Apache
Affected Products
- Apache Santuario Apache Santuario XML Security for Java 2.0.0
- Apache Santuario Apache Santuario XML Security for Java 2.0.3
- Apache Santuario Apache Santuario XML Security for Java 2.1.0
- Apache Santuario Apache Santuario XML Security for Java 2.2.0
- Apache Santuario Apache Santuario XML Security for Java 2.2.1
- Apache Santuario Apache Santuario XML Security for Java 2.2.2
- Apache Santuario Apache Santuario XML Security for Java 2.1.1
- Apache Santuario Apache Santuario XML Security for Java 2.1.2
- Apache Santuario Apache Santuario XML Security for Java 2.1.3
- Apache Santuario Apache Santuario XML Security for Java 2.1.4
- Apache Santuario Apache Santuario XML Security for Java 2.1.5
- Apache Santuario Apache Santuario XML Security for Java 2.1.6
- Apache Shiro 1.7.0
- Apache Shiro 1.7.1
Remediation
Upgrade to the latest version of Apache Santuario XML Security for Java, available from the Apache Web site.
Upgrade to the latest version of Apache Shiro, available from the Apache Web site.