Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1oNjVmLWp2cXctbTlmas0mHg
Infinite Loop in Apache Xerces Java
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
Permalink: https://github.com/advisories/GHSA-h65f-jvqw-m9fjJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oNjVmLWp2cXctbTlmas0mHg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 11 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Identifiers: GHSA-h65f-jvqw-m9fj, CVE-2022-23437
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-23437
- https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl
- http://www.openwall.com/lists/oss-security/2022/01/24/3
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://security.netapp.com/advisory/ntap-20221028-0005/
- https://github.com/advisories/GHSA-h65f-jvqw-m9fj
Affected Packages
maven:xerces:xercesImpl
Dependent packages: 1,930Dependent repositories: 17,907
Downloads:
Affected Version Ranges: < 2.12.2
Fixed in: 2.12.2
All affected versions: 2.0.0, 2.0.2, 2.2.1, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.7.1, 2.8.0, 2.8.1, 2.9.0, 2.9.1, 2.10.0, 2.11.0, 2.12.0, 2.12.1
All unaffected versions: 2.12.2