CVE-2022-23437 — Infinite Loop in Software Foundation Apache Xerces
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 75.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJan 24
Latest updateOct 15
Description
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6
Affected Packages30 packages
Patches
🔴Vulnerability Details
7📋Vendor Advisories
9Oracle
▶
Oracle▶
Oracle Oracle Commerce Risk Matrix: Endeca Application Controller (Apache Xerces2 Java) — CVE-2022-23437↗2023-07-15
Oracle▶
Oracle Oracle Commerce Risk Matrix: Content Acquisition System, Workbench (Apache Xerces2 Java) — CVE-2022-23437↗2023-04-15
Oracle▶
Oracle Oracle Insurance Applications Risk Matrix: Development Tools (Apache Xerces-J) — CVE-2022-23437↗2023-01-15
Oracle▶
Oracle Oracle Commerce Risk Matrix: Endeca Integration (Apache Xerces-J) — CVE-2022-23437↗2022-10-15