[prev in list] [next in list] [prev in thread] [next in thread]
List: xerces-j-dev
Subject: Security vulnerability in 2.12.0
From: Andrew Poon <andrewskpoon () gmail ! com>
Date: 2020-10-14 4:16:00
Message-ID: CAOmg7+86VtomqF-_vpr90+GZ2jeWfarv8nbdTHub4NjKH=4aHw () mail ! gmail ! com
[Download RAW message or body]
Hi all,
I noticed a recent discovered vulnerability in Xerces
https://nvd.nist.gov/vuln/detail/CVE-2020-14338
CVE-2020-14338 Detail
Current Description
A flaw was found in Wildfly's implementation of Xerces, specifically in the
way the XMLSchemaValidator class in the JAXP component of Wildfly enforced
the "use-grammar-pool-only" feature. This flaw allows a specially-crafted
XML file to manipulate the validation process in certain cases. This issue
is the same flaw as CVE-2020-14621, which affected OpenJDK, and uses a
similar code. All xerces jboss versions before 2.12.0.SP3.
Is there any plan to create a bugfix release to remediate this?
Thanks
Andrew
[Attachment #3 (text/html)]
<div dir="ltr">
<div>Hi all,</div><div><br></div><div>I noticed a recent discovered vulnerability in \
Xerces</div><div><br></div><div><a \
href="https://nvd.nist.gov/vuln/detail/CVE-2020-14338" \
target="_blank">https://nvd.nist.gov/vuln/detail/CVE-2020-14338</a></div><div> \
<h2><span>CVE-2020-14338</span> Detail
</h2>
<div>
<div>
<h3 id="gmail-m_3820772214472177129gmail-vulnDescriptionTitle">Current \
Description </h3> <p>A flaw was found in Wildfly's
implementation of Xerces, specifically in the way the XMLSchemaValidator
class in the JAXP component of Wildfly enforced the
"use-grammar-pool-only" feature. This flaw allows a specially-crafted
XML file to manipulate the validation process in certain cases. This
issue is the same flaw as CVE-2020-14621, which affected OpenJDK, and
uses a similar code. All xerces jboss versions before 2.12.0.SP3.</p><p>Is there any \
plan to create a bugfix release to remediate this?</p><p><br></p><p>Thanks</p><font \
color="#888888"><p>Andrew<br></p></font></div></div></div>
</div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic