Apache Xerces security advisories
Security information for Apache Xerces
Reporting
Do you want disclose a potential security issue for Apache Xerces? Send your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Use-after-free on external DTD scan
CVE-2024-23807 [CVE] [CVE json] [OSV json]
Last updated: 2024-02-28T13:50:38.265Z
Affected
- Apache Xerces C++ from 3.0.0 before 3.2.5
Description
References
- https://github.com/apache/xerces-c/pull/54
- https://lists.apache.org/thread/c497tgn864tsbm8w0bo3f0d81s07zk9r
Infinite loop within Apache XercesJ xml parser
CVE-2022-23437 [CVE] [CVE json] [OSV json]
Last updated: 2022-01-24T14:59:39.857Z
Affected
- Apache Xerces from Apache XercesJ through 2.12.1
Description
There’s a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
References
Credits
- This issue was discovered by Sergey Temnikov and Ziyi Luo, from Amazon Corretto/JDK Team