CVE-2022-23437

XML Injection (aka Blind XPath Injection) in maven/xerces/xercesImpl

Identifiers
GHSA-h65f-jvqw-m9fj, CVE-2022-23437
Package Slug
maven/xerces/xercesImpl
Vulnerability
XML Injection (aka Blind XPath Injection)
Description
There’s a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
Affected Versions
All versions before 2.12.2
Solution
Upgrade to version 2.12.2 or above.
Last Modified
2022-02-13

Hi all,
Someone a while ago, reported a particular vulnerability within Apache XercesJ XML parser, that causes the XercesJ XML parser to wait in an infinite loop when provided with specially crafted XML document payloads.
This mailing list post, is to document this fact on an XercesJ public list, as the requirement to handle that vulnerability as per apache’s process.
The upcoming XercesJ version 2.12.2, would solve this mentioned XML parser vulnerability.


Todo:

  • 需要找到和构造POC。