CVE-2013-4517

Apache Santuario XML Security for Java <1.5.6 - DoS

Title source: llm

Description

Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures.

Exploits (2)

nomisec WORKING POC

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2013-4517-santuario-java-vulnerable

View Code ZIP pw:eip

nomisec WORKING POC

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2013-4517-santuario-java-vulnerable

View Code ZIP pw:eip

References (22)

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2014-0170.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2014-0171.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2014-0172.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2014-0195.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2014-1725.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2014-1726.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2014-1728.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2015-0675.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2015-0850.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2015-0851.html

[Third Party Advisory, VDB Entry] http://osvdb.org/101169

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/124554/Java-XML-Signature-Denial-Of-Service-Attack.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2014-1727.html

[Vendor Advisory] http://santuario.apache.org/secadv.data/cve-2013-4517.txt.asc

[Mailing List] http://seclists.org/fulldisclosure/2013/Dec/169

[Vendor Advisory] http://secunia.com/advisories/55639

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1029524

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/89891

[Mailing List] https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E

... and 2 more

Scores

EPSS 0.0839

EPSS Percentile 92.3%

Details

CWE

CWE-399

Status published

Products (19)

apache/santuario_xml_security_for_java 1.2.0

apache/santuario_xml_security_for_java 1.2.1

apache/santuario_xml_security_for_java 1.3.0

apache/santuario_xml_security_for_java 1.4.0

apache/santuario_xml_security_for_java 1.4.1

apache/santuario_xml_security_for_java 1.4.2

apache/santuario_xml_security_for_java 1.4.3

apache/santuario_xml_security_for_java 1.4.4

apache/santuario_xml_security_for_java 1.4.5

apache/santuario_xml_security_for_java 1.4.6

... and 9 more

Published Jan 11, 2014

Tracked Since Feb 18, 2026