CVE-2013-4517

Apache Santuario XML Security for Java <1.5.6 - DoS

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2013-4517. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary This repository contains functional Java code demonstrating CVE-2013-4517, a vulnerability in Apache Santuario XML Security for Java. The provided samples include signature generation and validation code that can be used to exploit the flaw.

Description

Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures.

Exploits (2)

nomisec WORKING POC

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2013-4517-santuario-java-vulnerable

View Code ZIP pw:eip

This repository contains functional Java code demonstrating CVE-2013-4517, a vulnerability in Apache Santuario XML Security for Java. The provided samples include signature generation and validation code that can be used to exploit the flaw.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Apache Santuario XML Security for Java

No auth needed

Prerequisites: Java environment · Apache Santuario XML Security for Java library

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Mar 14, 2026 Full analysis →

nomisec WORKING POC

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2013-4517-santuario-java-vulnerable

View Code ZIP pw:eip

This repository contains functional Java code demonstrating CVE-2013-4517, a vulnerability in Apache Santuario's XML security library. The provided samples include code for generating and validating XML signatures, which can be used to exploit the vulnerability.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Apache Santuario XML Security for Java

No auth needed

Prerequisites: Java environment · Apache Santuario library

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (22)

Core 22

Core References

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2014-1728.html

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2014-1726.html

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2015-0675.html

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2015-0850.html

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2015-0851.html

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2014-0170.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://osvdb.org/101169

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2014-0195.html

Third Party Advisory x_refsource_confirm

https://www.tenable.com/security/tns-2018-15

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/89891

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2014-1727.html

Mailing List mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2013/Dec/169

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1029524

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2014-0172.html

Vendor Advisory x_refsource_confirm

http://santuario.apache.org/secadv.data/cve-2013-4517.txt.asc

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2014-0171.html

Exploit, Third Party Advisory x_refsource_confirm

http://packetstormsecurity.com/files/124554/Java-XML-Signature-Denial-Of-Service-Attack.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/64437

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2014-1725.html

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/55639

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E

Scores

EPSS 0.0839

EPSS Percentile 92.5%

Details

CWE

CWE-399

Status published

Products (19)

apache/santuario_xml_security_for_java 1.2.0

apache/santuario_xml_security_for_java 1.2.1

apache/santuario_xml_security_for_java 1.3.0

apache/santuario_xml_security_for_java 1.4.0

apache/santuario_xml_security_for_java 1.4.1

apache/santuario_xml_security_for_java 1.4.2

apache/santuario_xml_security_for_java 1.4.3

apache/santuario_xml_security_for_java 1.4.4

apache/santuario_xml_security_for_java 1.4.5

apache/santuario_xml_security_for_java 1.4.6

... and 9 more

Published Jan 11, 2014

Tracked Since Feb 18, 2026