{"dataType":"CVE_RECORD","cveMetadata":{"state":"PUBLISHED","cveId":"CVE-2024-34580","assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","dateUpdated":"2024-08-08T17:18:46.698Z","dateReserved":"2024-05-06T00:00:00.000Z","datePublished":"2024-06-26T00:00:00.000Z"},"containers":{"cna":{"providerMetadata":{"orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre","dateUpdated":"2024-08-08T17:18:46.698Z"},"descriptions":[{"lang":"en","value":"Apache XML Security for C++ through 2.0.4 implements the XML Signature Syntax and Processing (XMLDsig) specification without protection against an SSRF payload in a KeyInfo element. NOTE: the project disputes this CVE Record on the grounds that any vulnerabilities are the result of a failure to configure XML Security for C++ securely. Even when avoiding this particular issue, any use of this library would need considerable additional code and a deep understanding of the standards and protocols involved to arrive at a secure implementation for any particular use case. We recommend against continued direct use of this library."}],"tags":["disputed"],"affected":[{"vendor":"n/a","product":"n/a","versions":[{"version":"n/a","status":"affected"}]}],"references":[{"url":"https://santuario.apache.org/download.html"},{"url":"https://cloud.google.com/blog/topics/threat-intelligence/apache-library-allows-server-side-request-forgery"},{"url":"https://www.sonatype.com/blog/the-exploited-ivanti-connect-ssrf-vulnerability-stems-from-xmltooling-oss-library"},{"url":"https://github.com/zmanion/Vulnerabilities/blob/main/CVE-2024-21893.md"},{"url":"https://lists.apache.org/thread/po2gocnw4gtf4boy5mmjb54g62qhbrl9"},{"url":"https://shibboleth.atlassian.net/wiki/spaces/DEV/pages/3726671873/Santuario"}],"problemTypes":[{"descriptions":[{"type":"text","lang":"en","description":"n/a"}]}]},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-918","lang":"en","description":"CWE-918 Server-Side Request Forgery (SSRF)"}]}],"affected":[{"vendor":"simplesamlphp","product":"xml-security","cpes":["cpe:2.3:a:simplesamlphp:xml-security:1.6.11:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"0","status":"affected","lessThanOrEqual":"2.0.4","versionType":"custom"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.3,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","integrityImpact":"LOW","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"LOW","privilegesRequired":"LOW","confidentialityImpact":"LOW"}},{"other":{"type":"ssvc","content":{"timestamp":"2024-06-26T15:02:33.442558Z","id":"CVE-2024-34580","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-26T15:26:35.849Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T02:59:21.807Z"},"title":"CVE Program Container","references":[{"url":"https://santuario.apache.org/download.html","tags":["x_transferred"]},{"url":"https://cloud.google.com/blog/topics/threat-intelligence/apache-library-allows-server-side-request-forgery","tags":["x_transferred"]},{"url":"https://www.sonatype.com/blog/the-exploited-ivanti-connect-ssrf-vulnerability-stems-from-xmltooling-oss-library","tags":["x_transferred"]},{"url":"https://github.com/zmanion/Vulnerabilities/blob/main/CVE-2024-21893.md","tags":["x_transferred"]}]}]},"dataVersion":"5.1"}