XML Parsing Vulnerability in Apache Santuario XML Security for Java
CVE-2019-12400

5.5MEDIUM

Key Information:

Vendor
Apache
Status
Apache Santuario - Xml Security For Java
Vendor
CVE Published:
23 August 2019

Summary

In versions of Apache Santuario XML Security for Java starting from 2.0.3, a caching mechanism was implemented to optimize the creation of new XML documents using a static pool of DocumentBuilders. However, this mechanism is susceptible to risks if untrusted code registers a harmful implementation with the thread context class loader. Consequently, the cached implementation may be reused by the library, leading to potential security issues, particularly during the validation of signed documents. Versions affected by this vulnerability include 2.0.x from 2.0.3 and all 2.1.x releases prior to version 2.1.4.

Affected Version(s)

Apache Santuario - XML Security for Java All 2.0.x releases from 2.0.3

Apache Santuario - XML Security for Java all 2.1.x releases before 2.1.4.

References

https://lists.apache.org/thread.html/8e814b925bf580bc527d...
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/edaa7edb9c58e5f5bd0c...
mailing-listx_refsource_MLIST
https://access.redhat.com/errata/RHSA-2020:0806
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.