[
https://issues.apache.org/jira/browse/XERCESJ-1738?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17489309#comment-17489309
]
Mukul Gandhi commented on XERCESJ-1738:
---------------------------------------
There was a similar, issue solved within XercesJ 2.12.2. Can you please, test
with 2.12.2 version and let us know the feedback.
If this issue persists, with 2.12.2 version as well, please provide us the test
case (preferably at priv...@xerces.apache.org) exhibiting this issue so that it
can be investigated for resolution.
> [7.1] [CVE-2013-4002] [org.apache.xerces] [2.9.0]
> -------------------------------------------------
>
> Key: XERCESJ-1738
> URL: https://issues.apache.org/jira/browse/XERCESJ-1738
> Project: Xerces2-J
> Issue Type: Bug
> Reporter: Rajesh
> Priority: Major
>
> *Description :*
> *Severity :* CVE CVSS 2.0: 7.1Sonatype CVSS 3: 6.5
> *Weakness :* Sonatype CWE: 400
> *Source :* National Vulnerability Database
> *Categories :* Data
> *Description from CVE :* XMLscanner.java in Apache Xerces2 Java Parser before
> 2.12.0, as used in the Java Runtime Environmentin IBM Java 5.0 before 5.0
> SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well
> as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51
> and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java
> SE Embedded 7u40 and earlier, and possibly other products allows remote
> attackers to cause a denial of service via vectors related to XML attribute
> names.
> *Explanation :* Apache Xerces is vulnerable to Denial of Service [DoS]. A
> flaw exists in how XMLScanner.java processes XML pseudo-attributes. A remote
> attacker can exploit this behavior by uploading an XML document to cause a
> processing error resulting in a DoS.
> *Detection :* The application is vulnerable if using Xerces to parse
> untrusted and/or user-created XML.
> *Recommendation :* We recommend upgrading to a version of this component that
> is not vulnerable to this specific issue.
> *Root Cause :* org.apache.xerces-2.9.0.jar : [ , 2.11.0.SP5]
> *Advisories :* Project: [https://bugzilla.redhat.com/show_bug.cgi?id=1019176]
> *CVSS Details :* CVE CVSS 2.0: 7.1CVSS Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C
> *Occurences (Paths) :* ["com.springsource.org.apache.xerces-2.9.1.jar"]
> *CVE :* CVE-2013-4002
> *URL :* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002]
>
> Note: The com.springsource.org.apache.xerces-2.9.1.jar is depends on
> org.apache.xerces-2.9.0.jar, so com.springsource.org.apache.xerces also need
> to be fixed accordingly.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: j-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: j-dev-h...@xerces.apache.org
