xerces:xercesImpl@2.3.0 vulnerabilities

xerces:xercesImpl is a that is used for high performance, fully compliant XML parsers in the Apache Xerces family.

Affected versions of this package are vulnerable to Improper Input Validation due to the way the XMLSchemaValidator class in the JAXP component of Wildfly enforced the "use-grammar-pool-only" feature. This flaw allows a specially-crafted XML file to manipulate the validation process in certain cases. This issue is the same flaw as CVE-2020-14621, which affected OpenJDK, and uses a similar code.

Upgrade xerces:xercesImpl to version 2.12.0.SP03 or higher.

xerces:xercesImpl is a that is used for high performance, fully compliant XML parsers in the Apache Xerces family.

Affected versions of this package are vulnerable to Denial of Service (DoS). Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JAXP). Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.

Upgrade xerces:xercesImpl to version 2.12.0 or higher.

xerces:xercesImpl is an that is used for high performance, fully compliant XML parsers in the Apache Xerces family.

Affected versions of this package are vulnerable to Denial of Service (DoS). XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.

Upgrade xerces:xercesImpl to version 2.10.0 or higher.

xerces:xercesImpl is a that is used for high performance, fully compliant XML parsers in the Apache Xerces family.

Affected versions of this package are vulnerable to Denial of Service (DoS). Apache Xerces2 Java allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.

Upgrade xerces:xercesImpl to version 2.12.0 or higher.

xerces:xercesImpl is a that is used for high performance, fully compliant XML parsers in the Apache Xerces family.

Affected versions of this package are vulnerable to Denial of Service (DoS). An attacker may be able to force the target server to parse an FTP URL, which points to an FTP server controller by the attacker. When the target server is mid way through fetching the FTP resources, the attackers malicious FTP server will exit the process and will leave the thread hanging in the target server.

It is possible to conduct this attack only if the following conditions are met:

• An attacker can pass an URL parameter that points to a controlled FTP server to the target.
• Target server uses vulnerable component(s) to fetch the resource specified by the attacker.
• Target server does not prevent fetching of FTP URI resources.

Upgrade xerces:xercesImpl to version 2.11.0 or higher.