[jira] [Created] (XALANJ-2794) Xalan JAXP impl. missing fix for CVE-2019-2973

Joshua Marquart (Jira) Fri, 13 Dec 2024 13:46:07 -0800

Joshua Marquart created XALANJ-2794:
---------------------------------------


             Summary: Xalan JAXP impl. missing fix for CVE-2019-2973
                 Key: XALANJ-2794
                 URL: https://issues.apache.org/jira/browse/XALANJ-2794
             Project: XalanJ2
          Issue Type: Bug
      Security Level: No security risk; visible to anyone (Ordinary problems in 
Xalan projects.  Anybody can view the issue.)
          Components: JAXP
    Affects Versions: 2.7.3, 2.7.2
            Reporter: Joshua Marquart


org.apache.xpath.compiler.XPathParser has the potential to throw a 
StackoverflowError, under certain conditions.

Per the CVE summary, this has already been resolved by certain JRE releases of 
JAXP, however cursory review of the existing releases of the classes from Xalan 
show the compensating code was not applied to Xalan's embedded JAXP classes and 
therefore have the potential to throw a StackOverflowError.

CVE Details: [https://nvd.nist.gov/vuln/detail/cve-2019-2973]

OpenJDK resolved this CVE here: 
[https://hg.openjdk.org/jdk8u/jdk8u/jaxp/rev/9094c855c4b4]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@xalan.apache.org
For additional commands, e-mail: dev-h...@xalan.apache.org

[jira] [Created] (XALANJ-2794) Xalan JAXP impl. missing fix for CVE-2019-2973

Reply via email to