oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

[CVE-2019-12400] Apache Santuario potentially loads XML parsing code from an untrusted source

From: Colm O hEigeartaigh <coheigea () apache org>
Date: Fri, 23 Aug 2019 16:45:10 +0100
The following security advisory is announced for the Apache Santuario - XML
Security for Java project, which is fixed in the recent 2.1.4 release.

[CVEID]:CVE-2019-12400
[PRODUCT]:Apache Santuario - XML Security for Java
[VERSION]:All 2.0.x releases from 2.0.3, all 2.1.x releases before 2.1.4.
[PROBLEMTYPE]:Process Control
[REFERENCES]:
http://santuario.apache.org/secadv.data/CVE-2019-12400.asc?version=1&modificationDate=1566573083000&api=v2
[DESCRIPTION]:In version 2.0.3 of Apache Santuario XML Security for Java, a
caching mechanism
              was introduced to speed up creating new XML documents using a
static pool of
              DocumentBuilders.

              However, if some untrusted code can register a malicious
implementation with
              the thread context class loader first, then this
implementation might be
              cached and re-used by Apache Santuario - XML Security for
Java, leading to
              potential security flaws when validating signed documents,
etc.

For more information, please see the security advisories page of Apache
Santuario: http://santuario.apache.org/secadv.html

-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Previous By Date Next
Previous By Thread Next

Current thread: