[jira] [Commented] (TIKA-3664) [8.6] [CVE-2022-23437] [xercesImpl] [2.12.1]

Fri, 28 Jan 2022 04:39:04 -0800 


    [ 
https://issues.apache.org/jira/browse/TIKA-3664?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17483750#comment-17483750
 ] 

Tim Allison commented on TIKA-3664:
-----------------------------------

Was that recently released? I don’t see it yet here: 
https://mvnrepository.com/artifact/xerces/xercesImpl

> [8.6] [CVE-2022-23437] [xercesImpl] [2.12.1]
> --------------------------------------------
>
>                 Key: TIKA-3664
>                 URL: https://issues.apache.org/jira/browse/TIKA-3664
>             Project: Tika
>          Issue Type: Bug
>    Affects Versions: 2.1.0
>            Reporter: Aman Mishra
>            Priority: Major
>
> tika-bundle-standard-2.1.0.jar/xercesImpl-2.12.1.jar 
> tika-bundle-standard is using xercesImpl-2.12.1.jar, which seems to be 
> vulnerable. Please check.
> *Description :*
> *Severity :* Sonatype CVSS 3: 8.6CVE CVSS 2.0: 0.0
> *Weakness :* Sonatype CWE: 611
> *Source :* National Vulnerability Database
> *Categories :* Data
> *Description from CVE :* There XML parser when handling specially crafted XML 
> document payloads. This causes, the XercesJ XML parser to wait in an infinite 
> loop, which may sometimes consume system resources for prolonged duration. 
> This vulnerability is present within XercesJ version 2.12.1 and the previous 
> versions.
> *Explanation :* This issue has undergone the Sonatype Fast-Track process. For 
> more information, please see the Sonatype Knowledge Base Guide.
> *Root Cause :* xercesImpl-2.12.1.jar : [ ,2.12.2]
> *Advisories :* Project: 
> [http://www.openwall.com/lists/oss-security/2022/01/24/3]
> *CVSS Details :* Sonatype CVSS 3: 8.6CVSS Vector: 
> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
> *Occurences (Paths) :* 
> ["/tika-bundle-standard-2.1.0.jar/xercesImpl-2.12.1.jar"]
> *CVE :* CVE-2022-23437
> *URL :* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23437]
> *Remediation :* This component does not have any non-vulnerable Version. 
> Please contact the vendor to get this vulnerability fixed.
> *First Scan Date :* Wed Jan 26 02:49:18 IST 2022



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to