-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Bypass of the secureValidation property (CVE-2021-40690)

PRODUCT AFFECTED:

This issue affects Apache Santuario XML Security for Java.

PROBLEM:

All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

This issue has been assigned CVE-2021-40690.

ACKNOWLEDGEMENTS:

An Trinh, Calif.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE20Xs0ZuXUU9ycQWuZ7+AsQrVOYMFAmFEU8wACgkQZ7+AsQrV
OYMiXggAiYJpjx3GQSnhhvqJSOylTfOabZoLd7nVF/5Dmnm3QyOKf5Tcyk1fFHAW
oJ6e+bgAC2RaosA6iwptlTAEsIuSpncsd/wMKUV+6FXwJmnDCGkuOjKY6xUPuKGH
lqEoDTYQrPoPNK4e6wkWN1n2Lp1YIgj9SyxeMdOGG7QFR829rk9PpKWcyptg3f+3
H29chTQNFtVDgTUlPJDk+9KbHLDshJXh+tbFy6Hg4qd6bcIeqaXy60Gyv6QnfMWU
P0vrObCmkzUL+roqWAkaVRvJfwgqc8lL4inEBxNCQu8q0Rzy/Qq4V5yF+yRcFuej
E5sMDCOerZnxohBeNhCgmlNGUryXtg==
=IK9Y
-----END PGP SIGNATURE-----