JVN/CVE Demo: Cveinfos

CVE

Id: 37652
CVE No.: CVE-2009-0217
Status: Candidate
Description: The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.
Phase: Assigned (20090120)
Votes: None (candidate not yet proposed)
Comments

Actions

Related CVE References

Id	CVE Id	CVE No.	Reference	Actions
408893	37652	CVE-2009-0217	MISC:http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html	View
408894	37652	CVE-2009-0217	CONFIRM:http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg21384925	View
408895	37652	CVE-2009-0217	CONFIRM:http://www.aleksey.com/xmlsec/	View
408896	37652	CVE-2009-0217	CONFIRM:http://www.mono-project.com/Vulnerabilities	View
408897	37652	CVE-2009-0217	CONFIRM:http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html	View
408898	37652	CVE-2009-0217	CONFIRM:http://www.w3.org/2008/06/xmldsigcore-errata.html#e03	View
408899	37652	CVE-2009-0217	CONFIRM:https://issues.apache.org/bugzilla/show_bug.cgi?id=47527	View
408900	37652	CVE-2009-0217	CONFIRM:http://www.kb.cert.org/vuls/id/MAPG-7TSKXQ	View
408901	37652	CVE-2009-0217	CONFIRM:http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1	View
408902	37652	CVE-2009-0217	CONFIRM:http://blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161	View
408903	37652	CVE-2009-0217	CONFIRM:http://www.kb.cert.org/vuls/id/WDON-7TY529	View
408904	37652	CVE-2009-0217	CONFIRM:https://issues.apache.org/bugzilla/show_bug.cgi?id=47526	View
408905	37652	CVE-2009-0217	CONFIRM:http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html	View
408906	37652	CVE-2009-0217	CONFIRM:http://git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7	View
408907	37652	CVE-2009-0217	CONFIRM:http://git.gnome.org/cgit/xmlsec/patch/?id=34b349675af9f72eb822837a8772cc1ead7115c7	View
408908	37652	CVE-2009-0217	CONFIRM:http://svn.apache.org/viewvc?revision=794013&view=revision	View
408909	37652	CVE-2009-0217	CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=511915	View
408910	37652	CVE-2009-0217	CONFIRM:http://www.openoffice.org/security/cves/CVE-2009-0217.html	View
408911	37652	CVE-2009-0217	CONFIRM:http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html	View
408912	37652	CVE-2009-0217	AIXAPAR:PK80596	View
408913	37652	CVE-2009-0217	URL:http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023545&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere	View
408914	37652	CVE-2009-0217	AIXAPAR:PK80627	View
408915	37652	CVE-2009-0217	URL:http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023723&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere	View
408916	37652	CVE-2009-0217	APPLE:APPLE-SA-2009-09-03-1	View
408917	37652	CVE-2009-0217	URL:http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html	View
408918	37652	CVE-2009-0217	DEBIAN:DSA-1995	View
408919	37652	CVE-2009-0217	URL:http://www.debian.org/security/2010/dsa-1995	View
408920	37652	CVE-2009-0217	FEDORA:FEDORA-2009-8329	View
408921	37652	CVE-2009-0217	URL:https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html	View
408922	37652	CVE-2009-0217	FEDORA:FEDORA-2009-8337	View
408923	37652	CVE-2009-0217	URL:https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html	View
408924	37652	CVE-2009-0217	FEDORA:FEDORA-2009-8456	View
408925	37652	CVE-2009-0217	URL:https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00494.html	View
408926	37652	CVE-2009-0217	FEDORA:FEDORA-2009-8473	View
408927	37652	CVE-2009-0217	URL:https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00505.html	View
408928	37652	CVE-2009-0217	GENTOO:GLSA-201408-19	View
408929	37652	CVE-2009-0217	URL:http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml	View
408930	37652	CVE-2009-0217	HP:HPSBUX02476	View
408931	37652	CVE-2009-0217	URL:http://marc.info/?l=bugtraq&m=125787273209737&w=2	View
408932	37652	CVE-2009-0217	HP:SSRT090250	View
408933	37652	CVE-2009-0217	URL:http://marc.info/?l=bugtraq&m=125787273209737&w=2	View
408934	37652	CVE-2009-0217	MANDRIVA:MDVSA-2009:209	View
408935	37652	CVE-2009-0217	URL:http://www.mandriva.com/security/advisories?name=MDVSA-2009:209	View
408936	37652	CVE-2009-0217	MS:MS10-041	View
408937	37652	CVE-2009-0217	URL:http://www.microsoft.com/technet/security/bulletin/ms10-041.mspx	View
408938	37652	CVE-2009-0217	REDHAT:RHSA-2009:1200	View
408939	37652	CVE-2009-0217	URL:https://rhn.redhat.com/errata/RHSA-2009-1200.html	View
408940	37652	CVE-2009-0217	REDHAT:RHSA-2009:1201	View
408941	37652	CVE-2009-0217	URL:https://rhn.redhat.com/errata/RHSA-2009-1201.html	View
408942	37652	CVE-2009-0217	REDHAT:RHSA-2009:1428	View
408943	37652	CVE-2009-0217	URL:https://rhn.redhat.com/errata/RHSA-2009-1428.html	View
408944	37652	CVE-2009-0217	REDHAT:RHSA-2009:1636	View
408945	37652	CVE-2009-0217	URL:https://rhn.redhat.com/errata/RHSA-2009-1636.html	View
408946	37652	CVE-2009-0217	REDHAT:RHSA-2009:1637	View
408947	37652	CVE-2009-0217	URL:https://rhn.redhat.com/errata/RHSA-2009-1637.html	View
408948	37652	CVE-2009-0217	REDHAT:RHSA-2009:1649	View
408949	37652	CVE-2009-0217	URL:https://rhn.redhat.com/errata/RHSA-2009-1649.html	View
408950	37652	CVE-2009-0217	REDHAT:RHSA-2009:1650	View
408951	37652	CVE-2009-0217	URL:https://rhn.redhat.com/errata/RHSA-2009-1650.html	View
408952	37652	CVE-2009-0217	REDHAT:RHSA-2009:1694	View
408953	37652	CVE-2009-0217	URL:http://www.redhat.com/support/errata/RHSA-2009-1694.html	View
408954	37652	CVE-2009-0217	SUNALERT:263429	View
408955	37652	CVE-2009-0217	URL:http://sunsolve.sun.com/search/document.do?assetkey=1-66-263429-1	View
408956	37652	CVE-2009-0217	SUNALERT:269208	View
408957	37652	CVE-2009-0217	URL:http://sunsolve.sun.com/search/document.do?assetkey=1-66-269208-1	View
408958	37652	CVE-2009-0217	SUNALERT:1020710	View
408959	37652	CVE-2009-0217	URL:http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020710.1-1	View
408960	37652	CVE-2009-0217	SUSE:SUSE-SA:2009:053	View
408961	37652	CVE-2009-0217	URL:http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html	View
408962	37652	CVE-2009-0217	SUSE:SUSE-SA:2010:017	View
408963	37652	CVE-2009-0217	URL:http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html	View
408964	37652	CVE-2009-0217	UBUNTU:USN-826-1	View
408965	37652	CVE-2009-0217	URL:http://www.ubuntulinux.org/support/documentation/usn/usn-826-1	View
408966	37652	CVE-2009-0217	UBUNTU:USN-903-1	View
408967	37652	CVE-2009-0217	URL:http://www.ubuntu.com/usn/USN-903-1	View
408968	37652	CVE-2009-0217	CERT:TA09-294A	View
408969	37652	CVE-2009-0217	URL:http://www.us-cert.gov/cas/techalerts/TA09-294A.html	View
408970	37652	CVE-2009-0217	CERT:TA10-159B	View
408971	37652	CVE-2009-0217	URL:http://www.us-cert.gov/cas/techalerts/TA10-159B.html	View
408972	37652	CVE-2009-0217	CERT-VN:VU#466161	View
408973	37652	CVE-2009-0217	URL:http://www.kb.cert.org/vuls/id/466161	View
408974	37652	CVE-2009-0217	BID:35671	View
408975	37652	CVE-2009-0217	URL:http://www.securityfocus.com/bid/35671	View
408976	37652	CVE-2009-0217	OSVDB:55895	View
408977	37652	CVE-2009-0217	URL:http://osvdb.org/55895	View
408978	37652	CVE-2009-0217	OSVDB:55907	View
408979	37652	CVE-2009-0217	URL:http://osvdb.org/55907	View
408980	37652	CVE-2009-0217	OVAL:oval:org.mitre.oval:def:10186	View
408981	37652	CVE-2009-0217	URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10186	View
408982	37652	CVE-2009-0217	OVAL:oval:org.mitre.oval:def:7158	View
408983	37652	CVE-2009-0217	URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:7158	View
408984	37652	CVE-2009-0217	OVAL:oval:org.mitre.oval:def:8717	View
408985	37652	CVE-2009-0217	URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:8717	View
408986	37652	CVE-2009-0217	SECTRACK:1022561	View
408987	37652	CVE-2009-0217	URL:http://www.securitytracker.com/id?1022561	View
408988	37652	CVE-2009-0217	SECTRACK:1022567	View
408989	37652	CVE-2009-0217	URL:http://www.securitytracker.com/id?1022567	View
408990	37652	CVE-2009-0217	SECTRACK:1022661	View
408991	37652	CVE-2009-0217	URL:http://www.securitytracker.com/id?1022661	View
408992	37652	CVE-2009-0217	SECUNIA:35776	View
408993	37652	CVE-2009-0217	URL:http://secunia.com/advisories/35776	View
408994	37652	CVE-2009-0217	SECUNIA:35853	View
408995	37652	CVE-2009-0217	URL:http://secunia.com/advisories/35853	View
408996	37652	CVE-2009-0217	SECUNIA:35854	View
408997	37652	CVE-2009-0217	URL:http://secunia.com/advisories/35854	View
408998	37652	CVE-2009-0217	SECUNIA:35855	View
408999	37652	CVE-2009-0217	URL:http://secunia.com/advisories/35855	View
409000	37652	CVE-2009-0217	SECUNIA:35858	View
409001	37652	CVE-2009-0217	URL:http://secunia.com/advisories/35858	View
409002	37652	CVE-2009-0217	SECUNIA:36162	View
409003	37652	CVE-2009-0217	URL:http://secunia.com/advisories/36162	View
409004	37652	CVE-2009-0217	SECUNIA:36176	View
409005	37652	CVE-2009-0217	URL:http://secunia.com/advisories/36176	View
409006	37652	CVE-2009-0217	SECUNIA:36180	View
409007	37652	CVE-2009-0217	URL:http://secunia.com/advisories/36180	View
409008	37652	CVE-2009-0217	SECUNIA:35852	View
409009	37652	CVE-2009-0217	URL:http://secunia.com/advisories/35852	View
409010	37652	CVE-2009-0217	SECUNIA:36494	View
409011	37652	CVE-2009-0217	URL:http://secunia.com/advisories/36494	View
409012	37652	CVE-2009-0217	SECUNIA:37300	View
409013	37652	CVE-2009-0217	URL:http://secunia.com/advisories/37300	View
409014	37652	CVE-2009-0217	SECUNIA:37671	View
409015	37652	CVE-2009-0217	URL:http://secunia.com/advisories/37671	View
409016	37652	CVE-2009-0217	SECUNIA:37841	View
409017	37652	CVE-2009-0217	URL:http://secunia.com/advisories/37841	View
409018	37652	CVE-2009-0217	SECUNIA:38567	View
409019	37652	CVE-2009-0217	URL:http://secunia.com/advisories/38567	View
409020	37652	CVE-2009-0217	SECUNIA:38568	View
409021	37652	CVE-2009-0217	URL:http://secunia.com/advisories/38568	View
409022	37652	CVE-2009-0217	SECUNIA:38695	View
409023	37652	CVE-2009-0217	URL:http://secunia.com/advisories/38695	View
409024	37652	CVE-2009-0217	SECUNIA:38921	View
409025	37652	CVE-2009-0217	URL:http://secunia.com/advisories/38921	View
409026	37652	CVE-2009-0217	SECUNIA:34461	View
409027	37652	CVE-2009-0217	URL:http://secunia.com/advisories/34461	View
409028	37652	CVE-2009-0217	SECUNIA:60799	View
409029	37652	CVE-2009-0217	URL:http://secunia.com/advisories/60799	View
409030	37652	CVE-2009-0217	SECUNIA:41818	View
409031	37652	CVE-2009-0217	URL:http://secunia.com/advisories/41818	View
409032	37652	CVE-2009-0217	VUPEN:ADV-2009-1900	View
409033	37652	CVE-2009-0217	URL:http://www.vupen.com/english/advisories/2009/1900	View
409034	37652	CVE-2009-0217	VUPEN:ADV-2009-1908	View
409035	37652	CVE-2009-0217	URL:http://www.vupen.com/english/advisories/2009/1908	View
409036	37652	CVE-2009-0217	VUPEN:ADV-2009-1911	View
409037	37652	CVE-2009-0217	URL:http://www.vupen.com/english/advisories/2009/1911	View
409038	37652	CVE-2009-0217	VUPEN:ADV-2009-1909	View
409039	37652	CVE-2009-0217	URL:http://www.vupen.com/english/advisories/2009/1909	View
409040	37652	CVE-2009-0217	VUPEN:ADV-2009-2543	View
409041	37652	CVE-2009-0217	URL:http://www.vupen.com/english/advisories/2009/2543	View
409042	37652	CVE-2009-0217	VUPEN:ADV-2009-3122	View
409043	37652	CVE-2009-0217	URL:http://www.vupen.com/english/advisories/2009/3122	View
409044	37652	CVE-2009-0217	VUPEN:ADV-2010-0366	View
409045	37652	CVE-2009-0217	URL:http://www.vupen.com/english/advisories/2010/0366	View
409046	37652	CVE-2009-0217	VUPEN:ADV-2010-0635	View

Related JVN

Id	JVN No.	Title	Summary	CVE No.	CVE Id	CVSS_v2	CVSS_v3	JVN URL	Actions
40300	JVNDB-2009-001306	Microsoft Office PowerPoint における PowerPoint ファイルの処理に関する任意のコードを実行される脆弱性	Microsoft Office PowerPoint には、PowerPoint ファイルの処理に不備があるため、任意のコードを実行される脆弱性が存在します。	CVE-2009-0221	37652	9.3		http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-001306.html	View

Message	Memory use
Component initialization	1.39 MB
Controller action start	1.49 MB
Controller render start	2.50 MB
View render complete	3.17 MB

Message	Time in ms	Graph
Core Processing (Derived from $_SERVER["REQUEST_TIME"])	2.74
Event: Controller.initialize	0.02
Event: Controller.startup	0.06
Controller action	405.19
Event: Controller.beforeRender	5.11
» Processing toolbar data	5.01
Rendering View	57.20
» Event: View.beforeRender	0.02
» Rendering APP/View/Cveinfos/view.ctp	55.75
» Event: View.afterRender	0.03
» Event: View.beforeLayout	0.03
» Rendering APP/View/Layouts/default.ctp	0.89
» » Rendering CORE/Cake/View/Elements/sql_dump.ctp	0.16
Event: View.afterLayout	0.00

Constant	Value
APP	/virtual/inogo77/public_html/jvn/app/
APP_DIR	app
APPLIBS	/virtual/inogo77/public_html/jvn/app/Lib/
CACHE	/virtual/inogo77/public_html/jvn/app/tmp/cache/
CAKE	/virtual/inogo77/public_html/jvn/lib/Cake/
CAKE_CORE_INCLUDE_PATH	/virtual/inogo77/public_html/jvn/lib
CORE_PATH	/virtual/inogo77/public_html/jvn/lib/
CAKE_VERSION	2.6.0
CSS	/virtual/inogo77/public_html/jvn/app/webroot/css/
CSS_URL	css/
DS	/
FULL_BASE_URL	http://inogo77.s500.xrea.com
IMAGES	/virtual/inogo77/public_html/jvn/app/webroot/img/
IMAGES_URL	img/
JS	/virtual/inogo77/public_html/jvn/app/webroot/js/
JS_URL	js/
LOGS	/virtual/inogo77/public_html/jvn/app/tmp/logs/
ROOT	/virtual/inogo77/public_html/jvn
TESTS	/virtual/inogo77/public_html/jvn/app/Test/
TMP	/virtual/inogo77/public_html/jvn/app/tmp/
VENDORS	/virtual/inogo77/public_html/jvn/vendors/
WEBROOT_DIR	webroot
WWW_ROOT	/virtual/inogo77/public_html/jvn/app/webroot/

Environment Variable	Value
Php Version	5.6.40
Phprc	php56.ini
Php Fcgi Children	1
Pwd	/virtual/inogo77/public_html/.fast-cgi-bin
Php Fcgi Max Requests	10000
Shlvl	0
Path	/usr/local/bin:/usr/bin:/bin
Script Name	/jvn/app/webroot/index.php
Request Uri	/jvn/cveinfos/view/37652
Query String
Request Method	GET
Server Protocol	HTTP/1.1
Gateway Interface	CGI/1.1
Redirect Url	/jvn/app/webroot/cveinfos/view/37652
Remote Port	8353
Script Filename	/virtual/inogo77/public_html/jvn/app/webroot/index.php
Server Admin	[no address given]
Context Document Root	/virtual/inogo77/public_html
Context Prefix
Request Scheme	http
Document Root	/virtual/inogo77/public_html
Remote Addr	216.73.216.223
Server Port	80
Server Addr	160.251.151.205
Server Name	inogo77.s500.xrea.com
Server Software	Apache
Server Signature
Http Connection	close
Http Cache Control	max-age=259200
Http X Forwarded For	10.1.148.26
Http Via	1.1 squid-proxy-5b5d847c96-7f7gz (squid/6.13)
Http Host	inogo77.s500.xrea.com
Http Accept Encoding	gzip, br, zstd, deflate
Http User Agent	Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)
Http Accept	/
Gem Home	/usr/local/rvm/gems/ruby-2.3.0
Suspectharddos	1
Suspectdos	1
X Dostranslated Ip	216.73.216.223
Mm Country Code	US
Mmdb Info	result found
Mmdb Addr	216.73.216.223
Unique Id	aOHqHQybNT3tQhsd26BuewAAAfA
Redirect Status	200
Redirect Gem Home	/usr/local/rvm/gems/ruby-2.3.0
Redirect Suspectharddos	1
Redirect Suspectdos	1
Redirect X Dostranslated Ip	216.73.216.223
Redirect Mm Country Code	US
Redirect Mmdb Info	result found
Redirect Mmdb Addr	216.73.216.223
Redirect Unique Id	aOHqHQybNT3tQhsd26BuewAAAfA
Redirect Redirect Status	200
Redirect Redirect Gem Home	/usr/local/rvm/gems/ruby-2.3.0
Redirect Redirect Suspectharddos	1
Redirect Redirect Suspectdos	1
Redirect Redirect X Dostranslated Ip	216.73.216.223
Redirect Redirect Mm Country Code	US
Redirect Redirect Mmdb Info	result found
Redirect Redirect Mmdb Addr	216.73.216.223
Redirect Redirect Unique Id	aOHqHQybNT3tQhsd26BuewAAAfA
Fcgi Role	RESPONDER
Php Self	/jvn/app/webroot/index.php
Request Time Float	1759635997.515
Request Time	1759635997

CVE

Actions

Related CVE References

Related JVN

Request History

Session

Request

Cake Params

Post data

Query string

Cookie

Current Route

Sql Logs

default

Memory

Timers

Logs

View Variables

App Constants

CakePHP Constants

PHP Environment

Included Files

Include Paths

Included Files