CVE-2009-0217

The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.

Published: 2009-07-14 Last update: 2026-04-23 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2009-0217 is rated Moderate Risk (49.8/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 2.22%). Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2009-0217

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-04-12 1.99% 2.22% +0.23%
2 2026-03-30 1.55% 1.99% +0.43%
3 2026-03-29 1.55%

Full EPSS history (24 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2009-0217

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
5.0 2.0 MEDIUM
AV:N/AC:L/Au:N/C:N/I:P/A:N Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:N)
No confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:N)
No availability impact.
 10.0 2.9 [email protected]

Weakness enumeration for CVE-2009-0217

GitHub Security Advisory for CVE-2009-0217

GHSA-8hfm-837h-hjg5 · Severity: medium · Ecosystem: maven — Apache XML Security For Java vulnerable to authentication bypass by HMAC truncation

OS Trackers for CVE-2009-0217

vendor priority summary link
debian not yet assigned CVE-2009-0217 not yet assigned priority: Debian including 3 source packages (mono, xml-security-c, xmlsec1), 15 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 15. https://security-tracker.debian.org/tracker/CVE-2009-0217
gentoo normal CVE-2009-0217: 2 GLSA(s) (201206-13, 201408-19), 6 atom(s) (app-office/libreoffice, app-office/libreoffice-bin, app-office/openoffice, app-office/openoffice-bin, dev-lang/mono, dev-util/mono-debugger); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2009-0217
redhat medium https://access.redhat.com/security/cve/CVE-2009-0217
ubuntu medium CVE-2009-0217 medium priority: Ubuntu including 7 source packages (libreoffice, libxml-security-java, …), 98 status rows across 14 suites (dapper, hardy, intrepid, jaunty, karmic, lucid, maverick, natty, oneiric, precise, quantal, raring, saucy, upstream): not-affected 55, released 16, DNE 14, ignored 12, needs-triage 1. https://ubuntu.com/security/CVE-2009-0217

Affected software / configurations for CVE-2009-0217

Vendor Product Version Raw CPE
ibm websphere_application_server 6.0 cpe:2.3:a:ibm:websphere_application_server:6.0:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.0.1 cpe:2.3:a:ibm:websphere_application_server:6.0.0.1:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.0.2 cpe:2.3:a:ibm:websphere_application_server:6.0.0.2:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.0.3 cpe:2.3:a:ibm:websphere_application_server:6.0.0.3:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.1 cpe:2.3:a:ibm:websphere_application_server:6.0.1:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.1.1 cpe:2.3:a:ibm:websphere_application_server:6.0.1.1:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.1.2 cpe:2.3:a:ibm:websphere_application_server:6.0.1.2:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.1.3 cpe:2.3:a:ibm:websphere_application_server:6.0.1.3:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.1.5 cpe:2.3:a:ibm:websphere_application_server:6.0.1.5:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.1.7 cpe:2.3:a:ibm:websphere_application_server:6.0.1.7:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.1.9 cpe:2.3:a:ibm:websphere_application_server:6.0.1.9:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.1.11 cpe:2.3:a:ibm:websphere_application_server:6.0.1.11:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.1.13 cpe:2.3:a:ibm:websphere_application_server:6.0.1.13:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.1.15 cpe:2.3:a:ibm:websphere_application_server:6.0.1.15:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.1.17 cpe:2.3:a:ibm:websphere_application_server:6.0.1.17:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.2 cpe:2.3:a:ibm:websphere_application_server:6.0.2:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.2 cpe:2.3:a:ibm:websphere_application_server:6.0.2:*:fp17:*:*:*:*:*
ibm websphere_application_server 6.0.2.1 cpe:2.3:a:ibm:websphere_application_server:6.0.2.1:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.2.2 cpe:2.3:a:ibm:websphere_application_server:6.0.2.2:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.2.3 cpe:2.3:a:ibm:websphere_application_server:6.0.2.3:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.2.10 cpe:2.3:a:ibm:websphere_application_server:6.0.2.10:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.2.11 cpe:2.3:a:ibm:websphere_application_server:6.0.2.11:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.2.12 cpe:2.3:a:ibm:websphere_application_server:6.0.2.12:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.2.13 cpe:2.3:a:ibm:websphere_application_server:6.0.2.13:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.2.14 cpe:2.3:a:ibm:websphere_application_server:6.0.2.14:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.2.15 cpe:2.3:a:ibm:websphere_application_server:6.0.2.15:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.2.16 cpe:2.3:a:ibm:websphere_application_server:6.0.2.16:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.2.17 cpe:2.3:a:ibm:websphere_application_server:6.0.2.17:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.2.18 cpe:2.3:a:ibm:websphere_application_server:6.0.2.18:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.2.19 cpe:2.3:a:ibm:websphere_application_server:6.0.2.19:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.2.20 cpe:2.3:a:ibm:websphere_application_server:6.0.2.20:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.2.21 cpe:2.3:a:ibm:websphere_application_server:6.0.2.21:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.2.22 cpe:2.3:a:ibm:websphere_application_server:6.0.2.22:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.2.23 cpe:2.3:a:ibm:websphere_application_server:6.0.2.23:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.2.24 cpe:2.3:a:ibm:websphere_application_server:6.0.2.24:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.2.25 cpe:2.3:a:ibm:websphere_application_server:6.0.2.25:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.2.28 cpe:2.3:a:ibm:websphere_application_server:6.0.2.28:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.2.29 cpe:2.3:a:ibm:websphere_application_server:6.0.2.29:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.2.30 cpe:2.3:a:ibm:websphere_application_server:6.0.2.30:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.2.31 cpe:2.3:a:ibm:websphere_application_server:6.0.2.31:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.2.32 cpe:2.3:a:ibm:websphere_application_server:6.0.2.32:*:*:*:*:*:*:*
ibm websphere_application_server 6.0.2.33 cpe:2.3:a:ibm:websphere_application_server:6.0.2.33:*:*:*:*:*:*:*
ibm websphere_application_server 6.1 cpe:2.3:a:ibm:websphere_application_server:6.1:*:*:*:*:*:*:*
ibm websphere_application_server 6.1.0 cpe:2.3:a:ibm:websphere_application_server:6.1.0:*:*:*:*:*:*:*
ibm websphere_application_server 6.1.0.0 cpe:2.3:a:ibm:websphere_application_server:6.1.0.0:*:*:*:*:*:*:*
ibm websphere_application_server 6.1.0.1 cpe:2.3:a:ibm:websphere_application_server:6.1.0.1:*:*:*:*:*:*:*
ibm websphere_application_server 6.1.0.2 cpe:2.3:a:ibm:websphere_application_server:6.1.0.2:*:*:*:*:*:*:*
ibm websphere_application_server 6.1.0.3 cpe:2.3:a:ibm:websphere_application_server:6.1.0.3:*:*:*:*:*:*:*
ibm websphere_application_server 6.1.0.4 cpe:2.3:a:ibm:websphere_application_server:6.1.0.4:*:*:*:*:*:*:*
ibm websphere_application_server 6.1.0.5 cpe:2.3:a:ibm:websphere_application_server:6.1.0.5:*:*:*:*:*:*:*
ibm websphere_application_server 6.1.0.6 cpe:2.3:a:ibm:websphere_application_server:6.1.0.6:*:*:*:*:*:*:*
ibm websphere_application_server 6.1.0.7 cpe:2.3:a:ibm:websphere_application_server:6.1.0.7:*:*:*:*:*:*:*
ibm websphere_application_server 6.1.0.8 cpe:2.3:a:ibm:websphere_application_server:6.1.0.8:*:*:*:*:*:*:*
ibm websphere_application_server 6.1.0.9 cpe:2.3:a:ibm:websphere_application_server:6.1.0.9:*:*:*:*:*:*:*
ibm websphere_application_server 6.1.0.10 cpe:2.3:a:ibm:websphere_application_server:6.1.0.10:*:*:*:*:*:*:*
ibm websphere_application_server 6.1.0.11 cpe:2.3:a:ibm:websphere_application_server:6.1.0.11:*:*:*:*:*:*:*
ibm websphere_application_server 6.1.0.12 cpe:2.3:a:ibm:websphere_application_server:6.1.0.12:*:*:*:*:*:*:*
ibm websphere_application_server 6.1.0.13 cpe:2.3:a:ibm:websphere_application_server:6.1.0.13:*:*:*:*:*:*:*
ibm websphere_application_server 6.1.0.14 cpe:2.3:a:ibm:websphere_application_server:6.1.0.14:*:*:*:*:*:*:*
ibm websphere_application_server 6.1.0.15 cpe:2.3:a:ibm:websphere_application_server:6.1.0.15:*:*:*:*:*:*:*
ibm websphere_application_server 6.1.0.16 cpe:2.3:a:ibm:websphere_application_server:6.1.0.16:*:*:*:*:*:*:*
ibm websphere_application_server 6.1.0.17 cpe:2.3:a:ibm:websphere_application_server:6.1.0.17:*:*:*:*:*:*:*
ibm websphere_application_server 6.1.0.18 cpe:2.3:a:ibm:websphere_application_server:6.1.0.18:*:*:*:*:*:*:*
ibm websphere_application_server 6.1.0.19 cpe:2.3:a:ibm:websphere_application_server:6.1.0.19:*:*:*:*:*:*:*
ibm websphere_application_server 6.1.0.20 cpe:2.3:a:ibm:websphere_application_server:6.1.0.20:*:*:*:*:*:*:*
ibm websphere_application_server 6.1.0.21 cpe:2.3:a:ibm:websphere_application_server:6.1.0.21:*:*:*:*:*:*:*
ibm websphere_application_server 6.1.0.22 cpe:2.3:a:ibm:websphere_application_server:6.1.0.22:*:*:*:*:*:*:*
ibm websphere_application_server 6.1.0.23 cpe:2.3:a:ibm:websphere_application_server:6.1.0.23:*:*:*:*:*:*:*
ibm websphere_application_server 7.0 cpe:2.3:a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:*
ibm websphere_application_server 7.0.0.1 cpe:2.3:a:ibm:websphere_application_server:7.0.0.1:*:*:*:*:*:*:*
mono_project mono 1.2.1 cpe:2.3:a:mono_project:mono:1.2.1:*:*:*:*:*:*:*
mono_project mono 1.2.2 cpe:2.3:a:mono_project:mono:1.2.2:*:*:*:*:*:*:*
mono_project mono 1.2.3 cpe:2.3:a:mono_project:mono:1.2.3:*:*:*:*:*:*:*
mono_project mono 1.2.4 cpe:2.3:a:mono_project:mono:1.2.4:*:*:*:*:*:*:*
mono_project mono 1.2.5 cpe:2.3:a:mono_project:mono:1.2.5:*:*:*:*:*:*:*
mono_project mono 1.2.6 cpe:2.3:a:mono_project:mono:1.2.6:*:*:*:*:*:*:*
mono_project mono 1.9 cpe:2.3:a:mono_project:mono:1.9:*:*:*:*:*:*:*
mono_project mono 2.0 cpe:2.3:a:mono_project:mono:2.0:*:*:*:*:*:*:*
oracle application_server 10.1.2.3 cpe:2.3:a:oracle:application_server:10.1.2.3:*:*:*:*:*:*:*
oracle application_server 10.1.3.4 cpe:2.3:a:oracle:application_server:10.1.3.4:*:*:*:*:*:*:*

References for CVE-2009-0217

URL Tags
http://blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161
http://git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7
http://git.gnome.org/cgit/xmlsec/patch/?id=34b349675af9f72eb822837a8772cc1ead7115c7
http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html
http://marc.info/?l=bugtraq&m=125787273209737&w=2
http://osvdb.org/55895
http://osvdb.org/55907
http://secunia.com/advisories/34461
http://secunia.com/advisories/35776 Vendor Advisory
http://secunia.com/advisories/35852 Vendor Advisory
http://secunia.com/advisories/35853 Vendor Advisory
http://secunia.com/advisories/35854 Vendor Advisory
http://secunia.com/advisories/35855 Vendor Advisory
http://secunia.com/advisories/35858 Vendor Advisory
http://secunia.com/advisories/36162 Vendor Advisory
http://secunia.com/advisories/36176 Vendor Advisory
http://secunia.com/advisories/36180 Vendor Advisory
http://secunia.com/advisories/36494 Vendor Advisory
http://secunia.com/advisories/37300
http://secunia.com/advisories/37671
http://secunia.com/advisories/37841
http://secunia.com/advisories/38567
http://secunia.com/advisories/38568
http://secunia.com/advisories/38695
http://secunia.com/advisories/38921
http://secunia.com/advisories/41818
http://secunia.com/advisories/60799
http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-263429-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269208-1
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020710.1-1
http://svn.apache.org/viewvc?revision=794013&view=revision
http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023545&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere Patch Vendor Advisory
http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023723&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere Patch Vendor Advisory
http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg21384925 Patch Vendor Advisory
http://www.aleksey.com/xmlsec/
http://www.debian.org/security/2010/dsa-1995
http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml
http://www.kb.cert.org/vuls/id/466161 US Government Resource
http://www.kb.cert.org/vuls/id/MAPG-7TSKXQ
http://www.kb.cert.org/vuls/id/WDON-7TY529
http://www.mandriva.com/security/advisories?name=MDVSA-2009:209
http://www.mono-project.com/Vulnerabilities Vendor Advisory
http://www.openoffice.org/security/cves/CVE-2009-0217.html
http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html
http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html
http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
http://www.redhat.com/support/errata/RHSA-2009-1694.html
http://www.securityfocus.com/bid/35671 Patch
http://www.securitytracker.com/id?1022561
http://www.securitytracker.com/id?1022567
http://www.securitytracker.com/id?1022661
http://www.ubuntu.com/usn/USN-903-1
http://www.us-cert.gov/cas/techalerts/TA09-294A.html US Government Resource
http://www.us-cert.gov/cas/techalerts/TA10-159B.html US Government Resource
http://www.vupen.com/english/advisories/2009/1900 Patch Vendor Advisory
http://www.vupen.com/english/advisories/2009/1908 Patch Vendor Advisory
http://www.vupen.com/english/advisories/2009/1909 Patch Vendor Advisory
http://www.vupen.com/english/advisories/2009/1911 Patch Vendor Advisory
http://www.vupen.com/english/advisories/2009/2543
http://www.vupen.com/english/advisories/2009/3122
http://www.vupen.com/english/advisories/2010/0366
http://www.vupen.com/english/advisories/2010/0635
http://www.w3.org/2008/06/xmldsigcore-errata.html#e03 Vendor Advisory
http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=511915
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-041
https://issues.apache.org/bugzilla/show_bug.cgi?id=47526
https://issues.apache.org/bugzilla/show_bug.cgi?id=47527
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10186
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7158
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8717
https://rhn.redhat.com/errata/RHSA-2009-1200.html
https://rhn.redhat.com/errata/RHSA-2009-1201.html
https://rhn.redhat.com/errata/RHSA-2009-1428.html
https://rhn.redhat.com/errata/RHSA-2009-1636.html
https://rhn.redhat.com/errata/RHSA-2009-1637.html
https://rhn.redhat.com/errata/RHSA-2009-1649.html
https://rhn.redhat.com/errata/RHSA-2009-1650.html
https://usn.ubuntu.com/826-1/
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00494.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00505.html
cvelogic Threat Intelligence