CVE-2013-4002

high

Published 2013-07-23 · Modified 2024-12-03

CVSS v3

—

CVSS v2

7.1

VIR risk

7.1

Description

Missing XML Validation in Apache Xerces2

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: psirt@us.ibm.com — https://issues.apache.org/jira/browse/XERCESJ-1679

vendor Authored 2026-05-27

Vendor advisory: psirt@us.ibm.com — https://exchange.xforce.ibmcloud.com/vulnerabilities/85260

vendor Authored 2026-05-27

Vendor advisory: psirt@us.ibm.com — http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_July_2013

vendor Authored 2026-05-27

Vendor advisory: psirt@us.ibm.com — http://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_filenet_content_manager_and_ibm_content_foundation_xml_4j_denial_of_service_attack_cve_2013_4002

vendor Authored 2026-05-27

Vendor advisory: psirt@us.ibm.com — http://www-01.ibm.com/support/docview.wss?uid=swg21657539

vendor Authored 2026-05-27

Vendor advisory: psirt@us.ibm.com — http://www-01.ibm.com/support/docview.wss?uid=swg21653371

vendor Authored 2026-05-27

Vendor advisory: psirt@us.ibm.com — http://www-01.ibm.com/support/docview.wss?uid=swg21644197

vendor Authored 2026-05-27

Vendor advisory: psirt@us.ibm.com — http://www-01.ibm.com/support/docview.wss?uid=swg1IC98015

vendor Authored 2026-05-27

Vendor advisory: psirt@us.ibm.com — http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=965250&r2=1499506&view=patch

OS impact

OS	Version	Status
linux-kernel	-	not-affected
ubuntu	10.04	affected
ubuntu	12.04	affected
ubuntu	12.10	affected
ubuntu	13.04	affected
ubuntu	13.10	affected
suse	12.2	affected
suse	12.3	affected
suse	10	affected
suse	11	affected
suse	9	affected

Package impact

Ecosystem	Package	Vulnerable	Fixed
Maven	xerces:xercesImpl	`<2.12.0`	`2.12.0`

Application impact

Vendor	Product	Versions	Fixed
ibm	java	`5.0.0.0`
ibm	java	`5.0.11.0`
ibm	java	`5.0.11.1`
ibm	java	`5.0.11.2`
ibm	java	`5.0.12.0`
ibm	java	`5.0.12.1`
ibm	java	`5.0.12.2`
ibm	java	`5.0.12.3`
ibm	java	`5.0.12.4`
ibm	java	`5.0.12.5`
ibm	java	`5.0.13.0`
ibm	java	`5.0.14.0`
ibm	java	`5.0.15.0`
ibm	java	`5.0.16.0`
ibm	java	`5.0.16.1`
ibm	java	`5.0.16.2`
ibm	java	`6.0.0.0`
ibm	java	`6.0.1.0`
ibm	java	`6.0.2.0`
ibm	java	`6.0.3.0`
ibm	java	`6.0.4.0`
ibm	java	`6.0.5.0`
ibm	java	`6.0.6.0`
ibm	java	`6.0.7.0`
ibm	java	`6.0.8.0`
ibm	java	`6.0.8.1`
ibm	java	`6.0.9.0`
ibm	java	`6.0.9.1`
ibm	java	`6.0.9.2`
ibm	java	`6.0.10.0`
ibm	java	`6.0.10.1`
ibm	java	`6.0.11.0`
ibm	java	`6.0.12.0`
ibm	java	`6.0.13.0`
ibm	java	`6.0.13.1`
ibm	java	`6.0.13.2`
ibm	java	`7.0.0.0`
ibm	java	`7.0.1.0`
ibm	java	`7.0.2.0`
ibm	java	`7.0.3.0`
ibm	java	`7.0.4.0`
ibm	java	`7.0.4.1`
ibm	java	`7.0.4.2`
oracle	jdk	`1.5.0`
oracle	jdk	`1.6.0`
oracle	jdk	`1.7.0`
oracle	jre	`1.5.0`
oracle	jre	`1.6.0`
oracle	jre	`1.7.0`
oracle	jrockit	`{"startIncluding":"r27.7.0","endIncluding":"r27.7.6"}`
ibm	sterling_b2b_integrator	`5.2.4`
ibm	host_on-demand	`11.0`
ibm	host_on-demand	`11.0.1`
ibm	host_on-demand	`11.0.2`
ibm	host_on-demand	`11.0.3`
ibm	host_on-demand	`11.0.4`
ibm	host_on-demand	`11.0.5`
ibm	host_on-demand	`11.0.5.1`
ibm	host_on-demand	`11.0.6`
ibm	host_on-demand	`11.0.6.1`
ibm	host_on-demand	`11.0.7`
ibm	host_on-demand	`11.0.8`
ibm	tivoli_application_dependency_discovery_manager	`7.2.2`
ibm	sterling_b2b_integrator	`5.1`
ibm	sterling_b2b_integrator	`5.2`
ibm	sterling_file_gateway	`2.1`
ibm	sterling_file_gateway	`2.2`
apache	xerces2_java	`{"startIncluding":"2.4.0","endExcluding":"2.12.0"}`	`2.12.0`

References

Verify integrity in audit chain (admin only). AS-IS.