CVE-2022-23437 – xerces:xercesimpl

Package

Manager: maven
Name: xerces:xercesimpl
Vulnerable Version: >=0 <2.12.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00077 pctl0.23557

Details

Infinite Loop in Apache Xerces Java There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

Metadata

Created: 2022-01-27T16:13:07Z
Modified: 2023-06-22T19:15:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-h65f-jvqw-m9fj/GHSA-h65f-jvqw-m9fj.json
CWE IDs: ["CWE-91"]
Alternative ID: GHSA-h65f-jvqw-m9fj
Finding: F083
Auto approve: 1