CVE-2021-40690 [High] | Information Disclosure in Santuario Xml Security For Java

All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-06	0.28%	0.41%	+0.14%
2	2026-03-20	0.38%	0.28%	-0.10%
3	2026-03-04	—	0.38%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-06

0.28%

0.41%

+0.14%

2026-03-20

0.38%

0.28%

-0.10%

2026-03-04

—

0.38%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
7.5	3.1	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:N) Service keeps running; no real outage angle.	3.9	3.6	[email protected]
5.0	2.0	MEDIUM	`AV:N/AC:L/Au:N/C:P/I:N/A:N` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:L) Exploitation conditions are straightforward and predictable. Authentication (AU:N) No authentication is required. Confidentiality impact (C:P) Partial confidentiality impact. Integrity impact (I:N) No integrity impact. Availability impact (A:N) No availability impact.	10.0	2.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

7.5

3.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:N): Service keeps running; no real outage angle.

3.9

3.6

[email protected]

5.0

2.0

MEDIUM

AV:N/AC:L/Au:N/C:P/I:N/A:N Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:L): Exploitation conditions are straightforward and predictable.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:P): Partial confidentiality impact.
Integrity impact (I:N): No integrity impact.
Availability impact (A:N): No availability impact.

10.0

2.9

[email protected]

OS Trackers for CVE-2021-40690

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2021-40690 not yet assigned priority: Debian including 1 source packages (libxml-security-java), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2021-40690
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2021-40690
`ubuntu`	medium	CVE-2021-40690 medium priority: Ubuntu including 1 source packages (libxml-security-java), 15 status rows across 15 suites (bionic, focal, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): not-affected 9, ignored 2, released 2, DNE 1, needed 1.	https://ubuntu.com/security/CVE-2021-40690

Affected software / configurations for CVE-2021-40690

Vendor	Product	Version	Raw CPE
apache	santuario_xml_security_for_java	< 2.1.7	cpe:2.3:a:apache:santuario_xml_security_for_java::::::::
apache	santuario_xml_security_for_java	>= 2.2.0, < 2.2.3	cpe:2.3:a:apache:santuario_xml_security_for_java::::::::
apache	cxf	3.4.4	cpe:2.3:a:apache:cxf:3.4.4:::::::*
apache	tomee	< 8.0.8	cpe:2.3:a:apache:tomee::::::::
debian	debian_linux	9.0	cpe:2.3:o:debian:debian_linux:9.0:::::::*
debian	debian_linux	10.0	cpe:2.3:o:debian:debian_linux:10.0:::::::*
debian	debian_linux	11.0	cpe:2.3:o:debian:debian_linux:11.0:::::::*
oracle	agile_plm	9.3.6	cpe:2.3:a:oracle:agile_plm:9.3.6:::::::*
oracle	commerce_guided_search	11.3.2	cpe:2.3:a:oracle:commerce_guided_search:11.3.2:::::::*
oracle	commerce_platform	11.3.2	cpe:2.3:a:oracle:commerce_platform:11.3.2:::::::*
oracle	communications_diameter_intelligence_hub	>= 8.0.0, <= 8.1.0	cpe:2.3:a:oracle:communications_diameter_intelligence_hub::::::::
oracle	communications_diameter_intelligence_hub	>= 8.2.0, <= 8.2.3	cpe:2.3:a:oracle:communications_diameter_intelligence_hub::::::::
oracle	communications_messaging_server	8.1	cpe:2.3:a:oracle:communications_messaging_server:8.1:::::::*
oracle	flexcube_private_banking	12.1.0	cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:::::::*
oracle	outside_in_technology	8.5.5	cpe:2.3:a:oracle:outside_in_technology:8.5.5:::::::*
oracle	peoplesoft_enterprise_peopletools	8.58	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:::::::*
oracle	peoplesoft_enterprise_peopletools	8.59	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:::::::*
oracle	retail_bulk_data_integration	16.0.3	cpe:2.3:a:oracle:retail_bulk_data_integration:16.0.3:::::::*
oracle	retail_financial_integration	14.1.3.2	cpe:2.3:a:oracle:retail_financial_integration:14.1.3.2:::::::*
oracle	retail_financial_integration	15.0.3.1	cpe:2.3:a:oracle:retail_financial_integration:15.0.3.1:::::::*
oracle	retail_financial_integration	16.0.3	cpe:2.3:a:oracle:retail_financial_integration:16.0.3:::::::*
oracle	retail_financial_integration	19.0.1	cpe:2.3:a:oracle:retail_financial_integration:19.0.1:::::::*
oracle	retail_integration_bus	14.1.3.2	cpe:2.3:a:oracle:retail_integration_bus:14.1.3.2:::::::*
oracle	retail_integration_bus	15.0.3.1	cpe:2.3:a:oracle:retail_integration_bus:15.0.3.1:::::::*
oracle	retail_integration_bus	16.0.3	cpe:2.3:a:oracle:retail_integration_bus:16.0.3:::::::*
oracle	retail_integration_bus	19.0.1	cpe:2.3:a:oracle:retail_integration_bus:19.0.1:::::::*
oracle	retail_merchandising_system	16.0.3	cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:::::::*
oracle	retail_merchandising_system	19.0.1	cpe:2.3:a:oracle:retail_merchandising_system:19.0.1:::::::*
oracle	retail_service_backbone	14.1.3.2	cpe:2.3:a:oracle:retail_service_backbone:14.1.3.2:::::::*
oracle	retail_service_backbone	15.0.3.1	cpe:2.3:a:oracle:retail_service_backbone:15.0.3.1:::::::*
oracle	retail_service_backbone	16.0.3	cpe:2.3:a:oracle:retail_service_backbone:16.0.3:::::::*
oracle	retail_service_backbone	19.0.1	cpe:2.3:a:oracle:retail_service_backbone:19.0.1:::::::*
oracle	weblogic_server	12.2.1.4.0	cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*
oracle	weblogic_server	14.1.1.0.0	cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*

References for CVE-2021-40690

URL	Tags
https://lists.apache.org/thread.html/r3b3f5ba9b0de8c9c125077b71af06026d344a709a8ba67db81ee9faa%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/r401ecb7274794f040cd757b259ebe3e8c463ae74f7961209ccad3c59%40%3Cissues.cxf.apache.org%3E
https://lists.apache.org/thread.html/r8848751b6a5dd78cc9e99d627e74fecfaffdfa1bb615dce827aad633%40%3Cdev.santuario.apache.org%3E	Issue Tracking Mailing List Patch Third Party Advisory
https://lists.apache.org/thread.html/r8a5c0ce9014bd07303aec1e5eed55951704878016465d3dae00e0c28%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/r9c100d53c84d54cf71975e3f0cfcc2856a8846554a04c99390156ce4%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/raf352f95c19c0c4051af3180752cb69acbea88d0d066ab176c6170e8%40%3Cuser.poi.apache.org%3E
https://lists.apache.org/thread.html/rbbbac0759b12472abd0c278d32b5e0867bb21934df8e14e5e641597c%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/rbdac116aef912b563da54f4c152222c0754e32fb2f785519ac5e059f%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/re294cfc61f509512874ea514d8d64fd276253d54ac378ffa7a4880c8%40%3Ccommits.tomee.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/09/msg00015.html	Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20230818-0002/
https://www.debian.org/security/2021/dsa-5010	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html	Patch Third Party Advisory

URL

CVE-2021-40690 | Bypass of the secureValidation property

Exploit prediction scoring system (EPSS) score for CVE-2021-40690

Common vulnerability scoring system (CVSS) metrics for CVE-2021-40690

Weakness enumeration for CVE-2021-40690

GitHub Security Advisory for CVE-2021-40690

OS Trackers for CVE-2021-40690

Affected software / configurations for CVE-2021-40690

References for CVE-2021-40690