CVE-2022-23437
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2022-23437
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2022-23437.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | fixed | 2.12.2-1 |
| debian | bullseye | affected | |
| debian | forky | fixed | 2.12.2-1 |
| debian | sid | fixed | 2.12.2-1 |
| debian | trixie | fixed | 2.12.2-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| RubyGems | nokogiri | <>= 1.13.4 | >= 1.13.4 |
| Maven | xerces:xercesImpl | <2.12.2 | 2.12.2 |
References
- https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3
- https://www.suse.com/security/cve/CVE-2022-23437.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-23437
- https://github.com/jboss/xerces
- https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl
- https://security.netapp.com/advisory/ntap-20221028-0005
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- http://www.openwall.com/lists/oss-security/2022/01/24/3
- https://security-tracker.debian.org/tracker/CVE-2022-23437
Verify integrity in audit chain (admin only). AS-IS.