[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAB8XdGCSzjGtGOhbEv0QdfvwcfJpAr=kyAb4SYM+BKjgM7aJYw@mail.gmail.com>
Date: Fri, 23 Aug 2019 16:45:10 +0100
From: Colm O hEigeartaigh <coheigea@...che.org>
To: oss-security@...ts.openwall.com
Subject: [CVE-2019-12400] Apache Santuario potentially loads XML parsing code
from an untrusted source
The following security advisory is announced for the Apache Santuario - XML
Security for Java project, which is fixed in the recent 2.1.4 release.
[CVEID]:CVE-2019-12400
[PRODUCT]:Apache Santuario - XML Security for Java
[VERSION]:All 2.0.x releases from 2.0.3, all 2.1.x releases before 2.1.4.
[PROBLEMTYPE]:Process Control
[REFERENCES]:
http://santuario.apache.org/secadv.data/CVE-2019-12400.asc?version=1&modificationDate=1566573083000&api=v2
[DESCRIPTION]:In version 2.0.3 of Apache Santuario XML Security for Java, a
caching mechanism
was introduced to speed up creating new XML documents using a
static pool of
DocumentBuilders.
However, if some untrusted code can register a malicious
implementation with
the thread context class loader first, then this
implementation might be
cached and re-used by Apache Santuario - XML Security for
Java, leading to
potential security flaws when validating signed documents,
etc.
For more information, please see the security advisories page of Apache
Santuario: http://santuario.apache.org/secadv.html
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
