Is CVE-2021-40690 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 10%.

What products does CVE-2021-40690 affect?

Tracked products affected include PeopleSoft Enterprise PeopleTools. Check the version you run to see whether it is affected.

How do I fix CVE-2021-40690?

Apply the vendor fix promptly. An official patch or advisory is available. Upgrade affected products to a fixed version.

← All products

CVE-2021-40690

Q: What is CVE-2021-40690?

CVE-2021-40690 is a high-severity software vulnerability (Information disclosure) with a CVSS score of 7.5. All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows

HIGH severity · CVSS 7.5 · Information disclosure

7.5CVSS HIGH

Summary

All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionNone

Confidentiality impactHigh

Integrity impactNone

Availability impactNone

Exploit probability (EPSS)10%

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products we track (1)

PeopleSoft Enterprise PeopleTools

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Official patch: https://lists.apache.org/thread.html/r8848751b6a5dd78cc9e99d627e74fecfaffdfa1bb615dce827aad633%40%3Cdev.santuario.apache.org%3E ↗

CVE-2021-40690

Summary

Impact & exploitability

Affected products we track (1)

Recommendation

Additional information