Rajesh created XERCESJ-1738: ------------------------------- Summary: [7.1] [CVE-2013-4002] [org.apache.xerces] [2.9.0] Key: XERCESJ-1738 URL: https://issues.apache.org/jira/browse/XERCESJ-1738 Project: Xerces2-J Issue Type: Bug Reporter: Rajesh
*Description :* *Severity :* CVE CVSS 2.0: 7.1Sonatype CVSS 3: 6.5 *Weakness :* Sonatype CWE: 400 *Source :* National Vulnerability Database *Categories :* Data *Description from CVE :* XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environmentin IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names. *Explanation :* Apache Xerces is vulnerable to Denial of Service [DoS]. A flaw exists in how XMLScanner.java processes XML pseudo-attributes. A remote attacker can exploit this behavior by uploading an XML document to cause a processing error resulting in a DoS. *Detection :* The application is vulnerable if using Xerces to parse untrusted and/or user-created XML. *Recommendation :* We recommend upgrading to a version of this component that is not vulnerable to this specific issue. *Root Cause :* org.apache.xerces-2.9.0.jar : [ , 2.11.0.SP5] *Advisories :* Project: [https://bugzilla.redhat.com/show_bug.cgi?id=1019176] *CVSS Details :* CVE CVSS 2.0: 7.1CVSS Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C *Occurences (Paths) :* ["com.springsource.org.apache.xerces-2.9.1.jar"] *CVE :* CVE-2013-4002 *URL :* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002] Note: The com.springsource.org.apache.xerces-2.9.1.jar is depends on org.apache.xerces-2.9.0.jar, so com.springsource.org.apache.xerces also need to be fixed accordingly. -- This message was sent by Atlassian Jira (v8.20.1#820001) --------------------------------------------------------------------- To unsubscribe, e-mail: j-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: j-dev-h...@xerces.apache.org