[ https://issues.apache.org/jira/browse/OFBIZ-12549?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux closed OFBIZ-12549. ----------------------------------- Fix Version/s: 18.12.06 22.01.01 Resolution: Fixed > [SECURITY] CVE-2022-23437: Infinite loop within Apache XercesJ xml parser > ------------------------------------------------------------------------- > > Key: OFBIZ-12549 > URL: https://issues.apache.org/jira/browse/OFBIZ-12549 > Project: OFBiz > Issue Type: Bug > Components: Gradle > Affects Versions: 18.12.05, 22.01.01 > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Priority: Major > Fix For: 18.12.06, 22.01.01 > > > Severity: high > Description: > There's a vulnerability within the Apache Xerces Java (XercesJ) XML > parser when handling specially crafted XML document payloads. This > causes, the XercesJ XML parser to wait in an infinite loop, which may > sometimes consume system resources for prolonged duration. This > vulnerability is present within XercesJ version 2.12.1 and the > previous versions. > Mitigation: > Apache XercesJ users, should migrate to version 2.12.2 > Credit: > This issue was discovered by Sergey Temnikov and Ziyi Luo, from Amazon > Corretto/JDK Team > References: > https://markmail.org/message/vcmhwbuorfgcdr6l -- This message was sent by Atlassian Jira (v8.20.1#820001)