CVE-2019-12400 — Improper Input Validation in Apache Santuario XML Security FOR Java
Severity
5.5MEDIUMNVD
EPSS
0.6%
top 30.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedAug 23
Latest updateOct 15
Description
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santua…
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 1.8 | Impact: 3.6
Affected Packages4 packages
▶CVEListV5apache/apache_santuario_xml_security_for_javaAll 2.0.x releases from 2.0.3, all 2.1.x releases before 2.1.4.+1
Patches
🔴Vulnerability Details
4📋Vendor Advisories
3Oracle▶
Oracle Oracle Fusion Middleware Risk Matrix: Web Services (Apache Santuario XML Security For Java) — CVE-2019-12400↗2021-10-15
Red Hat▶
xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source↗2019-08-23
Debian▶
CVE-2019-12400: libxml-security-java - In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was...↗2019
💬Community
4Bugzilla▶
CVE-2019-12400 xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source↗2019-10-23
Bugzilla▶
CVE-2019-12400 xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source [epel-all]↗2019-10-23
Bugzilla▶
CVE-2019-12400 xmlsec1: xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source [fedora-all]↗2019-10-23
Bugzilla▶
CVE-2019-12400 xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source [fedora-all]↗2019-10-23