ByteOS Network

Vulnerability Details :

CVE-2022-23437

Assigner-apache

Assigner Org ID-f0158376-9dc2-43b6-827c-5f631a4d8d09

Published At-24 Jan, 2022 | 00:00

Updated At-03 Aug, 2024 | 03:43

Infinite loop within Apache XercesJ xml parser

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:apache

Assigner Org ID:f0158376-9dc2-43b6-827c-5f631a4d8d09

Published At:24 Jan, 2022 | 00:00

Updated At:03 Aug, 2024 | 03:43

▼CVE Numbering Authority (CNA)

Infinite loop within Apache XercesJ xml parser

Affected Products

Vendor

The Apache Software Foundation

Product

Apache Xerces

Versions

Affected

From Apache XercesJ through 2.12.1 (custom)

Problem Types

Type	CWE ID	Description
text	N/A	Infinite loop within Apache XercesJ xml parser

Type: text

CWE ID: N/A

Description: Infinite loop within Apache XercesJ xml parser

Metrics Other Info

unknown

other:

high

Workarounds

Apache XercesJ users, should migrate to version 2.12.2

Credits

This issue was discovered by Sergey Temnikov and Ziyi Luo, from Amazon Corretto/JDK Team

References

Hyperlink	Resource
https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl	N/A
http://www.openwall.com/lists/oss-security/2022/01/24/3	mailing-list
https://www.oracle.com/security-alerts/cpuapr2022.html	N/A
https://www.oracle.com/security-alerts/cpujul2022.html	N/A
https://security.netapp.com/advisory/ntap-20221028-0005/	N/A

Hyperlink: https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl

Resource: N/A

Hyperlink: http://www.openwall.com/lists/oss-security/2022/01/24/3

Resource:

mailing-list

Hyperlink: https://www.oracle.com/security-alerts/cpuapr2022.html

Resource: N/A

Hyperlink: https://www.oracle.com/security-alerts/cpujul2022.html

Resource: N/A

Hyperlink: https://security.netapp.com/advisory/ntap-20221028-0005/

Resource: N/A

▼Authorized Data Publishers (ADP)

CVE Program Container

References

Hyperlink	Resource
https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl	x_transferred
http://www.openwall.com/lists/oss-security/2022/01/24/3	mailing-list x_transferred
https://www.oracle.com/security-alerts/cpuapr2022.html	x_transferred
https://www.oracle.com/security-alerts/cpujul2022.html	x_transferred
https://security.netapp.com/advisory/ntap-20221028-0005/	x_transferred

Hyperlink: https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl

Resource:

x_transferred

Hyperlink: http://www.openwall.com/lists/oss-security/2022/01/24/3

Resource:

mailing-list

x_transferred

Hyperlink: https://www.oracle.com/security-alerts/cpuapr2022.html

Resource:

x_transferred

Hyperlink: https://www.oracle.com/security-alerts/cpujul2022.html

Resource:

x_transferred

Hyperlink: https://security.netapp.com/advisory/ntap-20221028-0005/

Resource:

x_transferred

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:security@apache.org

Published At:24 Jan, 2022 | 15:15

Updated At:08 Aug, 2023 | 14:22

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary	2.0	7.1	HIGH	AV:N/AC:M/Au:N/C:N/I:N/A:C

Type: Primary

Version: 3.1

Base score: 6.5

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Type: Primary

Version: 2.0

Base score: 7.1

Base severity: HIGH

Vector:

AV:N/AC:M/Au:N/C:N/I:N/A:C

CPE Matches

The Apache Software Foundation

>>xerces-j>>Versions up to 2.12.1(inclusive)

Hyperlink	Source	Resource
http://www.openwall.com/lists/oss-security/2022/01/24/3	security@apache.org	Mailing List Third Party Advisory
https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl	security@apache.org	Mailing List Vendor Advisory
https://security.netapp.com/advisory/ntap-20221028-0005/	security@apache.org	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	security@apache.org	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html	security@apache.org	Patch Third Party Advisory

CVE-2022-23437

Credits

Infinite loop within Apache XercesJ xml parser

Vendors

Products

Metrics (CVSS)

Weaknesses

Attack Patterns

Solution/Workaround

References

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

Stakeholder-Specific Vulnerability Categorization (SSVC)

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History

Similar CVEs