xercesImpl.jar: 4 vulnerabilities (highest severity is: 7.5) #16
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Library home page: http://archive.apache.org/dist/harmony/milestones/M11/apache-harmony-hdk-r808406-linux-x86_64-64-snapshot.tar.gz
Path to vulnerable library: /adit-war/lib/xercesImpl-2.9.1.jar
Vulnerabilities
Details
Vulnerable Library - xercesImpl.jar
Library home page: http://archive.apache.org/dist/harmony/milestones/M11/apache-harmony-hdk-r808406-linux-x86_64-64-snapshot.tar.gz
Path to vulnerable library: /adit-war/lib/xercesImpl-2.9.1.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
Publish Date: 2017-10-30
URL: CVE-2012-0881
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881
Release Date: 2017-10-30
Fix Resolution: xerces:xercesImpl:2.12.0
Vulnerable Library - xercesImpl.jar
Library home page: http://archive.apache.org/dist/harmony/milestones/M11/apache-harmony-hdk-r808406-linux-x86_64-64-snapshot.tar.gz
Path to vulnerable library: /adit-war/lib/xercesImpl-2.9.1.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
Publish Date: 2022-01-24
URL: CVE-2022-23437
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-h65f-jvqw-m9fj
Release Date: 2022-01-24
Fix Resolution: xerces:xercesImpl:2.12.2
Vulnerable Library - xercesImpl.jar
Library home page: http://archive.apache.org/dist/harmony/milestones/M11/apache-harmony-hdk-r808406-linux-x86_64-64-snapshot.tar.gz
Path to vulnerable library: /adit-war/lib/xercesImpl-2.9.1.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
A flaw was found in Wildfly's implementation of Xerces, specifically in the way the XMLSchemaValidator class in the JAXP component of Wildfly enforced the "use-grammar-pool-only" feature. This flaw allows a specially-crafted XML file to manipulate the validation process in certain cases. This issue is the same flaw as CVE-2020-14621, which affected OpenJDK, and uses a similar code. This flaw affects all Xerces JBoss versions before 2.12.0.SP3.
Publish Date: 2020-09-17
URL: CVE-2020-14338
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2020-10-19
Fix Resolution: xerces:xercesImpl:2.12.0.SP3
Vulnerable Library - xercesImpl.jar
Library home page: http://archive.apache.org/dist/harmony/milestones/M11/apache-harmony-hdk-r808406-linux-x86_64-64-snapshot.tar.gz
Path to vulnerable library: /adit-war/lib/xercesImpl-2.9.1.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
Publish Date: 2009-08-06
URL: CVE-2009-2625
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625
Release Date: 2009-08-06
Fix Resolution: xerces:xercesImpl:2.12.0
The text was updated successfully, but these errors were encountered: