GitHub Advisory DatabaseGHSA-7J4H-8WPF-RQFHMissing XML Validation in Apache Xerces2
7.1 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:N/I:N/A:C
0.019 Low
EPSS
Percentile
88.3%
XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.
| CPE | Name | Operator | Version |
|---|---|---|---|
| xerces:xercesimpl | lt | 2.12.0 |
References
lists.apple.com/archives/security-announce/2013/Oct/msg00001.html
lists.opensuse.org/opensuse-security-announce/2013-07/msg00026.html
lists.opensuse.org/opensuse-security-announce/2013-07/msg00027.html
lists.opensuse.org/opensuse-security-announce/2013-07/msg00028.html
lists.opensuse.org/opensuse-security-announce/2013-07/msg00029.html
lists.opensuse.org/opensuse-security-announce/2013-08/msg00000.html
lists.opensuse.org/opensuse-security-announce/2013-08/msg00003.html
lists.opensuse.org/opensuse-security-announce/2013-11/msg00010.html
lists.opensuse.org/opensuse-updates/2013-11/msg00023.html
marc.info/?l=bugtraq&m=138674031212883&w=2
marc.info/?l=bugtraq&m=138674073720143&w=2
rhn.redhat.com/errata/RHSA-2013-1059.html
rhn.redhat.com/errata/RHSA-2013-1060.html
rhn.redhat.com/errata/RHSA-2013-1081.html
rhn.redhat.com/errata/RHSA-2013-1440.html
rhn.redhat.com/errata/RHSA-2013-1447.html
rhn.redhat.com/errata/RHSA-2013-1451.html
rhn.redhat.com/errata/RHSA-2013-1505.html
rhn.redhat.com/errata/RHSA-2014-1818.html
rhn.redhat.com/errata/RHSA-2014-1821.html
rhn.redhat.com/errata/RHSA-2014-1822.html
rhn.redhat.com/errata/RHSA-2014-1823.html
rhn.redhat.com/errata/RHSA-2015-0675.html
rhn.redhat.com/errata/RHSA-2015-0720.html
rhn.redhat.com/errata/RHSA-2015-0765.html
rhn.redhat.com/errata/RHSA-2015-0773.html
security.gentoo.org/glsa/glsa-201406-32.xml
support.apple.com/kb/HT5982
svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=965250&r2=1499506&view=patch
www-01.ibm.com/support/docview.wss?uid=swg1IC98015
www-01.ibm.com/support/docview.wss?uid=swg21644197
www-01.ibm.com/support/docview.wss?uid=swg21653371
www-01.ibm.com/support/docview.wss?uid=swg21657539
www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS13-025/index.html
www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_filenet_content_manager_and_ibm_content_foundation_xml_4j_denial_of_service_attack_cve_2013_4002
www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_July_2013
www.ibm.com/support/docview.wss?uid=swg21648172
www.ubuntu.com/usn/USN-2033-1
www.ubuntu.com/usn/USN-2089-1
access.redhat.com/errata/RHSA-2014:0414
exchange.xforce.ibmcloud.com/vulnerabilities/85260
github.com/advisories/GHSA-7j4h-8wpf-rqfh
github.com/apache/xerces2-j/commit/266e837852e0f0e3c8c1ad572b6fc4dbb4ded17
issues.apache.org/jira/browse/XERCESJ-1679
lists.apache.org/thread.html/49dc6702104a86ecbb40292dcd329ce9ae4c32b74733199ecab14a73@%3Cj-users.xerces.apache.org%3E
lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E
lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2013-4002
www.oracle.com/security-alerts/cpuapr2022.html
www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html
Related
7.1 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:N/I:N/A:C
0.019 Low
EPSS
Percentile
88.3%