Apache XML Security For Java vulnerable to Infinite Loop
Moderate severity
GitHub Reviewed
Published
May 14, 2022
to the GitHub Advisory Database
•
Updated Mar 5, 2024
Package
Affected versions
>= 1.4.0, < 1.4.8
>= 1.5.0, < 1.5.3
Patched versions
1.4.8
1.5.3
Description
Published by the National Vulnerability Database
Oct 16, 2013
Published to the GitHub Advisory Database
May 14, 2022
Reviewed
Nov 8, 2022
Last updated
Mar 5, 2024
Affected versions of xmlsec are subject to a denial of service vulnerability. Should a user check the signature of a message larger than 512 MB, the method
expandSize(int newPos)
of classorg.apache.xml.security.utils.UnsyncByteArrayOutputStream
goes in an endless loop. A remote attacker could use this flaw to supply crafted XML that would lead to a denial of service.References