oss-sec mailing list archives
[CVE-2019-12400] Apache Santuario potentially loads XML parsing code from an untrusted source
From: Colm O hEigeartaigh <coheigea () apache org>
Date: Fri, 23 Aug 2019 16:45:10 +0100
The following security advisory is announced for the Apache Santuario - XML Security for Java project, which is fixed in the recent 2.1.4 release. [CVEID]:CVE-2019-12400 [PRODUCT]:Apache Santuario - XML Security for Java [VERSION]:All 2.0.x releases from 2.0.3, all 2.1.x releases before 2.1.4. [PROBLEMTYPE]:Process Control [REFERENCES]: http://santuario.apache.org/secadv.data/CVE-2019-12400.asc?version=1&modificationDate=1566573083000&api=v2 [DESCRIPTION]:In version 2.0.3 of Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. For more information, please see the security advisories page of Apache Santuario: http://santuario.apache.org/secadv.html -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
Current thread:
- [CVE-2019-12400] Apache Santuario potentially loads XML parsing code from an untrusted source Colm O hEigeartaigh (Aug 23)