CVE-2019-12400

Severity

5.5

Description

In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario – XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santuario – XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x releases before 2.1.4.

Mitigation

We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Related links:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12400

http://santuario.apache.org/secadv.data/CVE-2019-12400.asc?version=1&modificationDate=1566573083000&api=v2

https://lists.apache.org/thread.html/8e814b925bf580bc527d96ff51e72ffe5bdeaa4b8bf5b89498cab24c@%3Cdev.santuario.apache.org%3E

Project

Category

Process Control

Tags

data

Date Disclosed

2019-08-23

Date Discovered

2019-05-28

Apache TomEE 8.0.x

First release:

2019-09-13

CVEs:

88

Support Lifecycle:

Namespace:

javax

Apache TomEE 7.1.x

First release:

2018-09-02

CVEs:

81

Support Lifecycle:

Maintenance Support

Namespace:

javax

7.1.0 7.1.1 7.1.2 7.1.3 7.1.4

Apache TomEE 7.0.x

First release:

2016-05-17

CVEs:

111

Support Lifecycle:

Maintenance Support

Namespace:

javax

7.0.2 7.0.3 7.0.4 7.0.5 7.0.6 7.0.7 7.0.8 7.0.9

Feel Vulnerable?

Contact us so we can help you.

First name ^*
Last name ^*
Email ^*
Company ^*
Product ^*
Heard about us from: ^*
Tell us more ^*

Send me a confirmation email

^* These fields are required.