The following security advisory is announced for the Apache Santuario - XML Security for Java project, which is fixed in the recent 2.1.4 release.
[CVEID]:CVE-2019-12400 [PRODUCT]:Apache Santuario - XML Security for Java [VERSION]:All 2.0.x releases from 2.0.3, all 2.1.x releases before 2.1.4. [PROBLEMTYPE]:Process Control [REFERENCES]: http://santuario.apache.org/secadv.data/CVE-2019-12400.asc?version=1&modificationDate=1566573083000&api=v2 [DESCRIPTION]:In version 2.0.3 of Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. For more information, please see the security advisories page of Apache Santuario: http://santuario.apache.org/secadv.html -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com