[jira] [Created] (XERCESJ-1738) [7.1] [CVE-2013-4002] [org.apache.xerces] [2.9.0]

Tue, 08 Feb 2022 20:54:07 -0800 

Rajesh created XERCESJ-1738:
-------------------------------

             Summary: [7.1] [CVE-2013-4002] [org.apache.xerces] [2.9.0]
                 Key: XERCESJ-1738
                 URL: https://issues.apache.org/jira/browse/XERCESJ-1738
             Project: Xerces2-J
          Issue Type: Bug
            Reporter: Rajesh


*Description :*
*Severity :* CVE CVSS 2.0: 7.1Sonatype CVSS 3: 6.5

*Weakness :* Sonatype CWE: 400

*Source :* National Vulnerability Database

*Categories :* Data

*Description from CVE :* XMLscanner.java in Apache Xerces2 Java Parser before 
2.12.0, as used in the Java Runtime Environmentin IBM Java 5.0 before 5.0 
SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well 
as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 
and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE 
Embedded 7u40 and earlier, and possibly other products allows remote attackers 
to cause a denial of service via vectors related to XML attribute names.

*Explanation :* Apache Xerces is vulnerable to Denial of Service [DoS]. A flaw 
exists in how XMLScanner.java processes XML pseudo-attributes. A remote 
attacker can exploit this behavior by uploading an XML document to cause a 
processing error resulting in a DoS.

*Detection :* The application is vulnerable if using Xerces to parse untrusted 
and/or user-created XML.

*Recommendation :* We recommend upgrading to a version of this component that 
is not vulnerable to this specific issue.

*Root Cause :* org.apache.xerces-2.9.0.jar : [ , 2.11.0.SP5]

*Advisories :* Project: [https://bugzilla.redhat.com/show_bug.cgi?id=1019176]

*CVSS Details :* CVE CVSS 2.0: 7.1CVSS Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C

*Occurences (Paths) :* ["com.springsource.org.apache.xerces-2.9.1.jar"]

*CVE :* CVE-2013-4002

*URL :* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002]

 

Note: The com.springsource.org.apache.xerces-2.9.1.jar is depends on 
org.apache.xerces-2.9.0.jar, so com.springsource.org.apache.xerces also need to 
be fixed accordingly.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: j-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: j-dev-h...@xerces.apache.org

Reply via email to