Description
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
References (5)
Core 5
Core References
Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2022/01/24/3
Mailing List, Vendor Advisory
https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl
Third Party Advisory
https://security.netapp.com/advisory/ntap-20221028-0005/
Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
Scores
CVSS v3
6.5
EPSS
0.0010
EPSS Percentile
27.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Details
CWE
CWE-835
Status
published
Products (50)
apache/xerces-j
< 2.12.1
netapp/active_iq_unified_manager
oracle/agile_engineering_data_management
6.2.1.0
oracle/agile_plm
9.3.6
oracle/banking_deposits_and_lines_of_credit_servicing
2.7
oracle/banking_party_management
2.7.0
oracle/communications_asap
7.3
oracle/communications_element_manager
< 9.0
oracle/communications_session_report_manager
< 9.0
oracle/communications_session_route_manager
< 9.0
... and 40 more
Published
Jan 24, 2022
Tracked Since
Feb 18, 2026