'[oss-security] [CVE-2019-12400] Apache Santuario potentially loads XML parsing code from an untruste'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] [CVE-2019-12400] Apache Santuario potentially loads XML parsing code from an untruste
From:       Colm O hEigeartaigh <coheigea () apache ! org>
Date:       2019-08-23 15:45:10
Message-ID: CAB8XdGCSzjGtGOhbEv0QdfvwcfJpAr=kyAb4SYM+BKjgM7aJYw () mail ! gmail ! com
[Download RAW message or body]


The following security advisory is announced for the Apache Santuario - XML
Security for Java project, which is fixed in the recent 2.1.4 release.

[CVEID]:CVE-2019-12400
[PRODUCT]:Apache Santuario - XML Security for Java
[VERSION]:All 2.0.x releases from 2.0.3, all 2.1.x releases before 2.1.4.
[PROBLEMTYPE]:Process Control
[REFERENCES]:
http://santuario.apache.org/secadv.data/CVE-2019-12400.asc?version=1&modificationDate=1566573083000&api=v2
[DESCRIPTION]:In version 2.0.3 of Apache Santuario XML Security for Java, a
caching mechanism
              was introduced to speed up creating new XML documents using a
static pool of
              DocumentBuilders.

              However, if some untrusted code can register a malicious
implementation with
              the thread context class loader first, then this
implementation might be
              cached and re-used by Apache Santuario - XML Security for
Java, leading to
              potential security flaws when validating signed documents,
etc.

For more information, please see the security advisories page of Apache
Santuario: http://santuario.apache.org/secadv.html

-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic