Date: Fri, 23 Aug 2019 16:45:10 +0100 From: Colm O hEigeartaigh <coheigea@...che.org> To: oss-security@...ts.openwall.com Subject: [CVE-2019-12400] Apache Santuario potentially loads XML parsing code from an untrusted source The following security advisory is announced for the Apache Santuario - XML Security for Java project, which is fixed in the recent 2.1.4 release. [CVEID]:CVE-2019-12400 [PRODUCT]:Apache Santuario - XML Security for Java [VERSION]:All 2.0.x releases from 2.0.3, all 2.1.x releases before 2.1.4. [PROBLEMTYPE]:Process Control [REFERENCES]: http://santuario.apache.org/secadv.data/CVE-2019-12400.asc?version=1&modificationDate=1566573083000&api=v2 [DESCRIPTION]:In version 2.0.3 of Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. For more information, please see the security advisories page of Apache Santuario: http://santuario.apache.org/secadv.html -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.