CVE-2013-2153

The XML digital signature functionality (xsec/dsig/DSIGReference.cpp) in Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.1 allows context-dependent attackers to reuse signatures and spoof arbitrary content via crafted Reference elements in the Signature, aka "XML Signature Bypass issue."
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 73%
VendorProductVersion
apachexml_security_for_c\+\+
𝑥
≤ 1.7.0
apachexml_security_for_c\+\+
0.1.0
apachexml_security_for_c\+\+
0.2.0
apachexml_security_for_c\+\+
1.1.0
apachexml_security_for_c\+\+
1.2.0
apachexml_security_for_c\+\+
1.2.1
apachexml_security_for_c\+\+
1.3.0
apachexml_security_for_c\+\+
1.3.1
apachexml_security_for_c\+\+
1.4.0
apachexml_security_for_c\+\+
1.5.0
apachexml_security_for_c\+\+
1.5.1
apachexml_security_for_c\+\+
1.6.0
apachexml_security_for_c\+\+
1.6.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
xml-security-c
bullseye
2.0.2-4
fixed
sid
2.0.4-2
fixed
trixie
2.0.4-2
fixed
bookworm
2.0.4-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
xml-security-c
raring
Fixed 1.6.1-6~build0.13.04.1
released
quantal
Fixed 1.6.1-6~build0.12.10.1
released
precise
Fixed 1.6.1-1ubuntu0.1
released
lucid
Fixed 1.5.1-3+squeeze2build0.10.04.1
released
Common Weakness Enumeration
References
http://archives.neohapsis.com/archives/fulldisclosure/2013-06/0140.html
http://santuario.apache.org/secadv.data/CVE-2013-2153.txt
http://svn.apache.org/viewvc/santuario/xml-security-cpp/trunk/xsec/dsig/DSIGReference.cpp?r1=1125514&r2=1493959&pathrev=1493959&diff_format=h
http://www.debian.org/security/2013/dsa-2710
https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E
https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E
https://www.tenable.com/security/tns-2018-15
http://archives.neohapsis.com/archives/fulldisclosure/2013-06/0140.html
http://santuario.apache.org/secadv.data/CVE-2013-2153.txt
http://svn.apache.org/viewvc/santuario/xml-security-cpp/trunk/xsec/dsig/DSIGReference.cpp?r1=1125514&r2=1493959&pathrev=1493959&diff_format=h
http://www.debian.org/security/2013/dsa-2710
https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E
https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E
https://www.tenable.com/security/tns-2018-15