[jira] [Commented] (XERCESJ-1738) [7.1] [CVE-2013-4002] [org.apache.xerces] [2.9.0]

Thu, 10 Feb 2022 03:10:04 -0800 


    [ 
https://issues.apache.org/jira/browse/XERCESJ-1738?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17490126#comment-17490126
 ] 

Mukul Gandhi commented on XERCESJ-1738:
---------------------------------------

you can have, your project depend on the following maven artifact (which was 
uploaded very recently on maven central), instead of older XercesJ provided by 
spring,

<dependency>
    <groupId>xerces</groupId>
    <artifactId>xercesImpl</artifactId>
    <version>2.12.2</version>
</dependency>

> [7.1] [CVE-2013-4002] [org.apache.xerces] [2.9.0]
> -------------------------------------------------
>
>                 Key: XERCESJ-1738
>                 URL: https://issues.apache.org/jira/browse/XERCESJ-1738
>             Project: Xerces2-J
>          Issue Type: Bug
>            Reporter: Rajesh
>            Priority: Major
>
> *Description :*
> *Severity :* CVE CVSS 2.0: 7.1Sonatype CVSS 3: 6.5
> *Weakness :* Sonatype CWE: 400
> *Source :* National Vulnerability Database
> *Categories :* Data
> *Description from CVE :* XMLscanner.java in Apache Xerces2 Java Parser before 
> 2.12.0, as used in the Java Runtime Environmentin IBM Java 5.0 before 5.0 
> SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well 
> as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 
> and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java 
> SE Embedded 7u40 and earlier, and possibly other products allows remote 
> attackers to cause a denial of service via vectors related to XML attribute 
> names.
> *Explanation :* Apache Xerces is vulnerable to Denial of Service [DoS]. A 
> flaw exists in how XMLScanner.java processes XML pseudo-attributes. A remote 
> attacker can exploit this behavior by uploading an XML document to cause a 
> processing error resulting in a DoS.
> *Detection :* The application is vulnerable if using Xerces to parse 
> untrusted and/or user-created XML.
> *Recommendation :* We recommend upgrading to a version of this component that 
> is not vulnerable to this specific issue.
> *Root Cause :* org.apache.xerces-2.9.0.jar : [ , 2.11.0.SP5]
> *Advisories :* Project: [https://bugzilla.redhat.com/show_bug.cgi?id=1019176]
> *CVSS Details :* CVE CVSS 2.0: 7.1CVSS Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C
> *Occurences (Paths) :* ["com.springsource.org.apache.xerces-2.9.1.jar"]
> *CVE :* CVE-2013-4002
> *URL :* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002]
>  
> Note: The com.springsource.org.apache.xerces-2.9.1.jar is depends on 
> org.apache.xerces-2.9.0.jar, so com.springsource.org.apache.xerces also need 
> to be fixed accordingly.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: j-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: j-dev-h...@xerces.apache.org

Reply via email to