Joshua Marquart created XALANJ-2793:
---------------------------------------
Summary: Xalan JAXP impl. missing fix for CVE-2019-2973
Key: XALANJ-2793
URL: https://issues.apache.org/jira/browse/XALANJ-2793
Project: XalanJ2
Issue Type: Bug
Security Level: No security risk; visible to anyone (Ordinary problems in
Xalan projects. Anybody can view the issue.)
Components: JAXP
Affects Versions: 2.7.3, 2.7.2
Reporter: Joshua Marquart
org.apache.xpath.compiler.XPathParser has the potential to throw a
StackoverflowError, under certain conditions.
Per the CVE summary, this has already been resolved by certain JRE releases of
JAXP, however cursory review of the existing releases of the classes from Xalan
show the compensating code was not applied to Xalan's embedded JAXP classes and
therefore have the potential to throw a StackOverflowError.
CVE Details: [https://nvd.nist.gov/vuln/detail/cve-2019-2973]
OpenJDK resolved this CVE here:
[https://hg.openjdk.org/jdk8u/jdk8u/jaxp/rev/9094c855c4b4]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
