阿里云漏洞库

Apache Santuario是美国阿帕奇（Apache）基金会的一套实现XML的主要安全标准，它包含两个库：Apache XML Security for Java和Apache XML Security for C++。

Apache Santuario XML Security for Java存在信息泄露漏洞，该漏洞源于软件中的Keyinfo SecureValidation Xpath Transform缺少有效验证。攻击者可利用该漏洞通过该字段读取文件，以获取敏感信息。

目前厂商暂未发布修复措施解决此安全问题，建议使用此软件的用户随时关注厂商主页或参考网址以获取解决办法：

https://santuario.apache.org/javaindex.html

参考链接
https://lists.apache.org/thread.html/r3b3f5ba9b0de8c9c125077b71af06026d344a70...
https://lists.apache.org/thread.html/r401ecb7274794f040cd757b259ebe3e8c463ae7...
https://lists.apache.org/thread.html/r8848751b6a5dd78cc9e99d627e74fecfaffdfa1...
https://lists.apache.org/thread.html/r8a5c0ce9014bd07303aec1e5eed559517048780...
https://lists.apache.org/thread.html/r9c100d53c84d54cf71975e3f0cfcc2856a88465...
https://lists.apache.org/thread.html/raf352f95c19c0c4051af3180752cb69acbea88d...
https://lists.apache.org/thread.html/rbbbac0759b12472abd0c278d32b5e0867bb2193...
https://lists.apache.org/thread.html/rbdac116aef912b563da54f4c152222c0754e32f...
https://lists.apache.org/thread.html/re294cfc61f509512874ea514d8d64fd276253d5...
https://lists.debian.org/debian-lts-announce/2021/09/msg00015.html
https://security.netapp.com/advisory/ntap-20230818-0002/
https://www.debian.org/security/2021/dsa-5010
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html

CWE-ID	漏洞类型
CWE-200	信息暴露