Apache Xerces security advisories

Security information for Apache Xerces

Reporting

Do you want disclose a potential security issue for Apache Xerces? Send your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Use-after-free on external DTD scan

CVE-2024-23807 [CVE] [CVE json] [OSV json]

Last updated: 2024-02-28T13:50:38.265Z

Affected

  • Apache Xerces C++ from 3.0.0 before 3.2.5

Description

The Apache Xerces C++ XML parser on versions 3.0.0 before 3.2.5 contains a use-after-free error triggered during the scanning of external DTDs.

Users are recommended to upgrade to version 3.2.5 which fixes the issue, or mitigate the issue by disabling DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.

This issue has been disclosed before as CVE-2018-1311, but unfortunately that advisory incorrectly stated the issue would be fixed in version 3.2.3 or 3.2.4.

References

Infinite loop within Apache XercesJ xml parser

CVE-2022-23437 [CVE] [CVE json] [OSV json]

Last updated: 2022-01-24T14:59:39.857Z

Affected

  • Apache Xerces from Apache XercesJ through 2.12.1

Description

There’s a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

References

Credits

  • This issue was discovered by Sergey Temnikov and Ziyi Luo, from Amazon Corretto/JDK Team