CVE-2019-12400
published 2019-08-23CVE-2019-12400: In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of…
medium5.5CVSS 3.1
AVLACLPRLUINSUCNIHAN
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x releases before 2.1.4.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | apache_santuario_xml_security_for_java | — | — |
| apache | apache_santuario_xml_security_for_java | — | — |
| apache | santuario_xml_security_for_java | 2.0.3 – 2.0.10 | — |
| apache | santuario_xml_security_for_java | >= 2.1.0 < 2.1.4 | 2.1.4 |
| debian | libxml-security-java | < libxml-security-java 2.1.7-1 (bookworm) | libxml-security-java 2.1.7-1 (bookworm) |
| oracle | weblogic_server | — | — |
| oracle | weblogic_server | — | — |
| redhat | jboss_enterprise_application_platform | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
osv5.5MEDIUM