CVE-2013-2172: XML signature spoofing

August 20, 2013 (updated October 9, 2018)

jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in this package allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak “canonicalization algorithm to apply to the SignedInfo part of the Signature.”

References

santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc
bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2172

Code Behaviors & Features

Detect and mitigate CVE-2013-2172 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →