CVE-2013-2153

EUVD-2013-2118
The XML digital signature functionality (xsec/dsig/DSIGReference.cpp) in Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.1 allows context-dependent attackers to reuse signatures and spoof arbitrary content via crafted Reference elements in the Signature, aka "XML Signature Bypass issue."
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 74%
Affected Products (NVD)
VendorProductVersion
apachexml_security_for_c\+\+
𝑥
≤ 1.7.0
apachexml_security_for_c\+\+
0.1.0
apachexml_security_for_c\+\+
0.2.0
apachexml_security_for_c\+\+
1.1.0
apachexml_security_for_c\+\+
1.2.0
apachexml_security_for_c\+\+
1.2.1
apachexml_security_for_c\+\+
1.3.0
apachexml_security_for_c\+\+
1.3.1
apachexml_security_for_c\+\+
1.4.0
apachexml_security_for_c\+\+
1.5.0
apachexml_security_for_c\+\+
1.5.1
apachexml_security_for_c\+\+
1.6.0
apachexml_security_for_c\+\+
1.6.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
xml-security-c
bookworm
2.0.4-2
fixed
bullseye
2.0.2-4
fixed
sid
2.0.4-2
fixed
trixie
2.0.4-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
xml-security-c
lucid
Fixed 1.5.1-3+squeeze2build0.10.04.1
released
precise
Fixed 1.6.1-1ubuntu0.1
released
quantal
Fixed 1.6.1-6~build0.12.10.1
released
raring
Fixed 1.6.1-6~build0.13.04.1
released
Common Weakness Enumeration
References
http://archives.neohapsis.com/archives/fulldisclosure/2013-06/0140.html
http://santuario.apache.org/secadv.data/CVE-2013-2153.txt
http://svn.apache.org/viewvc/santuario/xml-security-cpp/trunk/xsec/dsig/DSIGReference.cpp?r1=1125514&r2=1493959&pathrev=1493959&diff_format=h
http://www.debian.org/security/2013/dsa-2710
https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E
https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E
https://www.tenable.com/security/tns-2018-15
http://archives.neohapsis.com/archives/fulldisclosure/2013-06/0140.html
http://santuario.apache.org/secadv.data/CVE-2013-2153.txt
http://svn.apache.org/viewvc/santuario/xml-security-cpp/trunk/xsec/dsig/DSIGReference.cpp?r1=1125514&r2=1493959&pathrev=1493959&diff_format=h
http://www.debian.org/security/2013/dsa-2710
https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E
https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E
https://www.tenable.com/security/tns-2018-15