CVE-2009-2625 — Infinite Loop in Apache Xerces2 Java

16 documents8 sources

Severity

5.0MEDIUMNVD

EPSS

1.2%

top 20.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Xerces2 Java Canonical Ubuntu Linux Debian Linux +6 more

Timeline

PublishedAug 6

Latest updateJun 15

Description

XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages6 packages

▶NVDapache/xerces2_java2.9.1

▶NVDoracle/primavera_web_services6.2.1, 7.0+1

▶NVDoracle/jdk1.5.0, 1.6.0+1

▶NVDopensuse/opensuse11.0, 11.1, 11.2+2

▶NVDsuse/linux_enterprise_server10, 11, 9+2

Also affects: Debian Linux 4.0, 5.0, Fedora 10, 11, Ubuntu Linux 6.06, 8.04, 8.10, 9.04, 9.10

Patches

Patch: sunsolve.sun.com ↗Patch: sunsolve.sun.com ↗Patch: svn.apache.org ↗

🔴Vulnerability Details

GHSA

Denial of service in Apache Xerces2↗2020-06-15

▶

OSV

Denial of service in Apache Xerces2↗2020-06-15

▶

CVEList

CVE-2009-2625: XMLScanner↗2009-08-06

▶

OSV

CVE-2009-2625: XMLScanner↗2009-08-06

▶

📋Vendor Advisories

Ubuntu

Expat vulnerabilities↗2010-01-20

▶

Red Hat

expat: buffer over-read and crash in big2_toUtf8() on XML with malformed UTF-8 sequences↗2009-12-02

▶

Ubuntu

OpenJDK vulnerabilities↗2009-08-11

▶

Red Hat

JDK: XML parsing Denial-Of-Service (6845701)↗2009-08-05

▶

Red Hat

expat: buffer over-read and crash on XML with malformed UTF-8 sequences↗2009-01-17

▶

💬Community

Bugzilla

CVE-2009-2625 OpenJDK: XML parsing Denial-Of-Service (6845701) [fedora-14]↗2011-11-04

▶

Bugzilla

CVE-2009-2625 OpenJDK: XML parsing Denial-Of-Service (6845701) [epel-5]↗2011-11-04

▶

Bugzilla

CVE-2009-2625 OpenJDK: XML parsing Denial-Of-Service (6845701) [fedora-all]↗2011-03-25

▶

Bugzilla

CVE-2009-3560 expat: buffer over-read and crash in big2_toUtf8() on XML with malformed UTF-8 sequences↗2009-11-05

▶

Bugzilla

CVE-2009-2625 xerces-j2, JDK: XML parsing Denial-Of-Service (6845701)↗2009-07-21

▶