WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2022-23437 Vulnerability in maven package xerces:xercesimpl

Description

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

Remediation

References

https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl

http://www.openwall.com/lists/oss-security/2022/01/24/3

https://www.oracle.com/security-alerts/cpuapr2022.html

https://www.oracle.com/security-alerts/cpujul2022.html

https://security.netapp.com/advisory/ntap-20221028-0005/

Related Vulnerabilities

CVE-2020-2193 Vulnerability in maven package io.jenkins.plugins:echarts-api

CVE-2021-36774 Vulnerability in maven package org.apache.kylin:kylin-core-common

CVE-2023-29924 Vulnerability in maven package tech.powerjob:powerjob

CVE-2021-32820 Vulnerability in npm package express-handlebars

CVE-2020-11619 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

Severity

High

Classification

CWE-835 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Tags

Mailing List Vendor Advisory Third Party Advisory Patch