CVE-2013-2155

Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7.1 does not properly validate length values, which allows remote attackers to cause a denial of service or bypass the CVE-2009-0217 protection mechanism and spoof a signature via crafted length values to the (1) compareBase64StringToRaw, (2) DSIGAlgorithmHandlerDefault, or (3) DSIGAlgorithmHandlerDefault::verify functions.

Published: Aug 20, 2013
Updated: Nov 9, 2025
CVE: CVE-2013-2155
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5.8
AV:N/AC:M/Au:N/C:N/I:P/A:P

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
apache / xml_security_for_c++	1.6.0	1.6.0.x
apache / xml_security_for_c++	1.1.0	1.1.0.x
apache / xml_security_for_c++	1.6.1	1.6.1.x
apache / xml_security_for_c++	1.2.1	1.2.1.x
apache / xml_security_for_c++	1.5.1	1.5.1.x
apache / xml_security_for_c++	1.5.0	1.5.0.x
apache / xml_security_for_c++	0.2.0	0.2.0.x
apache / xml_security_for_c++	1.3.0	1.3.0.x
apache / xml_security_for_c++	-	1.7.0.x
apache / xml_security_for_c++	1.4.0	1.4.0.x
apache / xml_security_for_c++	1.3.1	1.3.1.x
apache / xml_security_for_c++	1.2.0	1.2.0.x
apache / xml_security_for_c++	0.1.0	0.1.0.x

Vulnerability Database

317,828

CVE-2013-2155

Deep Security Visibility Without the Complexity