[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [CVE-2019-12400] Apache Santuario potentially loads XML parsing code from an untruste
From: Colm O hEigeartaigh <coheigea () apache ! org>
Date: 2019-08-23 15:45:10
Message-ID: CAB8XdGCSzjGtGOhbEv0QdfvwcfJpAr=kyAb4SYM+BKjgM7aJYw () mail ! gmail ! com
[Download RAW message or body]
The following security advisory is announced for the Apache Santuario - XML
Security for Java project, which is fixed in the recent 2.1.4 release.
[CVEID]:CVE-2019-12400
[PRODUCT]:Apache Santuario - XML Security for Java
[VERSION]:All 2.0.x releases from 2.0.3, all 2.1.x releases before 2.1.4.
[PROBLEMTYPE]:Process Control
[REFERENCES]:
http://santuario.apache.org/secadv.data/CVE-2019-12400.asc?version=1&modificationDate=1566573083000&api=v2
[DESCRIPTION]:In version 2.0.3 of Apache Santuario XML Security for Java, a
caching mechanism
was introduced to speed up creating new XML documents using a
static pool of
DocumentBuilders.
However, if some untrusted code can register a malicious
implementation with
the thread context class loader first, then this
implementation might be
cached and re-used by Apache Santuario - XML Security for
Java, leading to
potential security flaws when validating signed documents,
etc.
For more information, please see the security advisories page of Apache
Santuario: http://santuario.apache.org/secadv.html
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic