[
https://issues.apache.org/jira/browse/XERCESJ-1738?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17490044#comment-17490044
]
Rajesh commented on XERCESJ-1738:
---------------------------------
There is no direct usage of XercesJ from our project POM, the pom depends on
"com.springsource.org.apache.xerces".
does xerces has any plan to upgrade "com.springsource.org.apache.xerces"?
> [7.1] [CVE-2013-4002] [org.apache.xerces] [2.9.0]
> -------------------------------------------------
>
> Key: XERCESJ-1738
> URL: https://issues.apache.org/jira/browse/XERCESJ-1738
> Project: Xerces2-J
> Issue Type: Bug
> Reporter: Rajesh
> Priority: Major
>
> *Description :*
> *Severity :* CVE CVSS 2.0: 7.1Sonatype CVSS 3: 6.5
> *Weakness :* Sonatype CWE: 400
> *Source :* National Vulnerability Database
> *Categories :* Data
> *Description from CVE :* XMLscanner.java in Apache Xerces2 Java Parser before
> 2.12.0, as used in the Java Runtime Environmentin IBM Java 5.0 before 5.0
> SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well
> as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51
> and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java
> SE Embedded 7u40 and earlier, and possibly other products allows remote
> attackers to cause a denial of service via vectors related to XML attribute
> names.
> *Explanation :* Apache Xerces is vulnerable to Denial of Service [DoS]. A
> flaw exists in how XMLScanner.java processes XML pseudo-attributes. A remote
> attacker can exploit this behavior by uploading an XML document to cause a
> processing error resulting in a DoS.
> *Detection :* The application is vulnerable if using Xerces to parse
> untrusted and/or user-created XML.
> *Recommendation :* We recommend upgrading to a version of this component that
> is not vulnerable to this specific issue.
> *Root Cause :* org.apache.xerces-2.9.0.jar : [ , 2.11.0.SP5]
> *Advisories :* Project: [https://bugzilla.redhat.com/show_bug.cgi?id=1019176]
> *CVSS Details :* CVE CVSS 2.0: 7.1CVSS Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C
> *Occurences (Paths) :* ["com.springsource.org.apache.xerces-2.9.1.jar"]
> *CVE :* CVE-2013-4002
> *URL :* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002]
>
> Note: The com.springsource.org.apache.xerces-2.9.1.jar is depends on
> org.apache.xerces-2.9.0.jar, so com.springsource.org.apache.xerces also need
> to be fixed accordingly.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
