|
|
Log in / Subscribe / Register

xml-security-c: authentication bypass

Package(s):xml-security-c CVE #(s):CVE-2009-0217
Created:July 31, 2009 Updated:June 4, 2010
Description: From the CVE entry: The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.
Alerts:
Gentoo 201408-19 openoffice-bin 2014-08-31
Gentoo 201206-13 mono, mono-debugger 2012-06-21
Pardus 2010-67 openoffice 2010-06-04
SuSE SUSE-SA:2010:017 OpenOffice_org 2010-03-16
SuSE SUSE-SA:2010:004 java-1_6_0-ibm 2010-01-12
Red Hat RHSA-2009:1694-01 java-1.6.0-ibm 2009-12-23
Mandriva MDVSA-2009:322 mono 2009-12-07
Mandriva MDVSA-2009:318 xmlsec1 2009-12-05
Ubuntu USN-903-1 openoffice.org 2010-02-24
Debian DSA-1995-1 openoffice.org 2010-02-12
Mandriva MDVSA-2009:269 mono 2009-10-12
Mandriva MDVSA-2009:268 mono 2009-10-12
CentOS CESA-2009:1428 xmlsec1 2009-09-08
Red Hat RHSA-2009:1428-01 xmlsec1 2009-09-08
Mandriva MDVSA-2009:267 xmlsec1 2009-10-10
Ubuntu USN-826-1 mono 2009-08-26
Mandriva MDVSA-2009:209 java-1.6.0-openjdk 2009-08-21
Fedora FEDORA-2009-8456 xmlsec1 2009-08-11
Fedora FEDORA-2009-8473 xmlsec1 2009-08-11
Ubuntu USN-814-1 openjdk-6 2009-08-11
CentOS CESA-2009:1201 java-1.6.0-openjdk 2009-08-08
Red Hat RHSA-2009:1201-01 java-1.6.0-openjdk 2009-08-06
Red Hat RHSA-2009:1200-01 java-1.6.0-sun 2009-08-06
Fedora FEDORA-2009-8337 java-1.6.0-openjdk 2009-08-07
Fedora FEDORA-2009-8329 java-1.6.0-openjdk 2009-08-07
Debian DSA-1849-1 xml-security-c 2009-08-02
Fedora FEDORA-2009-8157 xml-security-c 2009-07-31
Fedora FEDORA-2009-8121 xml-security-c 2009-07-31
SuSE SUSE-SA:2009:053 java-1_6_0-ibm 2009-11-04
CentOS CESA-2009:1428 xmlsec1 2009-10-30
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds