GHSA-h65f-jvqw-m9fj

Suggest an improvement
Source
https://github.com/advisories/GHSA-h65f-jvqw-m9fj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-h65f-jvqw-m9fj/GHSA-h65f-jvqw-m9fj.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-h65f-jvqw-m9fj
Aliases
Published
2022-01-27T16:13:07Z
Modified
2024-02-16T05:19:54.707473Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Infinite Loop in Apache Xerces Java
Details

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

Database specific
{
    "nvd_published_at": "2022-01-24T15:15:00Z",
    "cwe_ids": [
        "CWE-91"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-25T20:46:16Z"
}
References

Affected packages

Maven / xerces:xercesImpl

Package

Name
xerces:xercesImpl
View open source insights on deps.dev
Purl
pkg:maven/xerces/xercesImpl

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.12.2

Affected versions

2.*

2.0.0
2.0.2
2.2.1
2.3.0
2.4.0
2.5.0
2.6.0
2.6.1
2.6.2
2.6.2-jaxb-1.0.6
2.7.1
2.8.0
2.8.1
2.9.0
2.9.1
2.10.0
2.11.0
2.12.0
2.12.1