CVE-2019-12400

5.5MEDIUM

Key Information:

Vendor
Apache
Status
Apache Santuario - Xml Security For Java
Vendor
CVE Published:
23 August 2019

Summary

In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x releases before 2.1.4.

Affected Version(s)

Apache Santuario - XML Security for Java All 2.0.x releases from 2.0.3

Apache Santuario - XML Security for Java all 2.1.x releases before 2.1.4.

References

https://lists.apache.org/thread.html/8e814b925bf580bc527d...
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/edaa7edb9c58e5f5bd0c...
mailing-listx_refsource_MLIST
https://access.redhat.com/errata/RHSA-2020:0806
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.