[jira] [Created] (XERCESJ-1722) Vunerable Serializer 2.7.1 bundled in Xerces 2.12.1 binary distribution

Olivier Jaquemet (Jira) Thu, 18 Jun 2020 06:02:10 -0700

Olivier Jaquemet created XERCESJ-1722:
-----------------------------------------


             Summary: Vunerable Serializer 2.7.1 bundled in Xerces 2.12.1 
binary distribution
                 Key: XERCESJ-1722
                 URL: https://issues.apache.org/jira/browse/XERCESJ-1722
             Project: Xerces2-J
          Issue Type: Bug
          Components: Serialization
    Affects Versions: 2.12.1
            Reporter: Olivier Jaquemet


The following jars are bundled in the Xerces-J 2.12.1 binary distribution : 

{{47dcde8986019314ef78ae7280a94973a21d2ed95075a40a000b42da956429e1 
resolver.jar}}
{{ *1456a09a4c710804c7cb6c0897cf323ae168d0c07ed12ca389f81f572f6d4391 
serializer.jar*}}
{{ a840968176645684bb01aed376e067ab39614885f9eee44abe35a5f20ebe7fad 
xml-apis.jar}}

Extracting information from the MANIFEST : 
 * resolver.jar / Implementation-Version: 1.2
 * *serializer.jar / Implementation-Version: 2.7.1*
 * xml-apis.jar / Implementation-Version: 1.4.01

Problem :

If it IS the xalan serializer 2.7.1 (which I could not confirmed from the 
hash), this version is vulnerable to CVE-2014-0107 :
[https://nvd.nist.gov/vuln/detail/CVE-2014-0107]

Xalan 2.7.2 was released in April 2014 and should probably be included to 
prevent uninformed user to rely the whole Xerces-J distribution. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Created] (XERCESJ-1722) Vunerable Serializer 2.7.1 bundled in Xerces 2.12.1 binary distribution

Reply via email to