SCA: security update for org.apache.santuario:xmlsec (GHSA-8hfm-837h-hjg5)

medium Tenable Self-Hosted Container Security Plugin ID 412706

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in
products including (1) the Oracle Security Developer Tools component in Oracle Application Server
10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1,
9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM
WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1;
(6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0;
and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not
require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass
authentication by specifying a truncation length with a small number of bits. (CVE-2009-0217)

See Also

https://github.com/advisories/GHSA-8hfm-837h-hjg5

Plugin Details

Severity: Medium

ID: 412706

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2009-0217

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/2/2022

Vulnerability Publication Date: 7/14/2009

Reference Information

CVE: CVE-2009-0217

BID: 35671