{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-23437", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "dateUpdated": "2024-08-03T03:43:45.690Z", "dateReserved": "2022-01-19T00:00:00", "datePublished": "2022-01-24T00:00:00"}, "containers": {"cna": {"title": "Infinite loop within Apache XercesJ xml parser", "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2022-10-28T00:00:00"}, "descriptions": [{"lang": "en", "value": "There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions."}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Xerces", "versions": [{"version": "Apache XercesJ", "status": "affected", "lessThanOrEqual": "2.12.1", "versionType": "custom"}]}], "references": [{"url": "https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl"}, {"name": "[oss-security] 20220124 CVE-2022-23437: Infinite loop within Apache XercesJ xml parser", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2022/01/24/3"}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"url": "https://security.netapp.com/advisory/ntap-20221028-0005/"}], "credits": [{"lang": "en", "value": "This issue was discovered by Sergey Temnikov and Ziyi Luo, from Amazon Corretto/JDK Team"}], "metrics": [{"other": {"type": "unknown", "content": {"other": "high"}}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Infinite loop within Apache XercesJ xml parser"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"discovery": "UNKNOWN"}, "workarounds": [{"lang": "en", "value": "Apache XercesJ users, should migrate to version 2.12.2"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:43:45.690Z"}, "title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl", "tags": ["x_transferred"]}, {"name": "[oss-security] 20220124 CVE-2022-23437: Infinite loop within Apache XercesJ xml parser", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/01/24/3"}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "tags": ["x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpujul2022.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20221028-0005/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:xerces-j:*:*:*:*:*:*:*:*", "matchCriteriaId": "35BFF235-489B-4262-94F4-061317ED4EAE", "versionEndIncluding": "2.12.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "80C9DBB8-3D50-4D5D-859A-B022EB7C2E64", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*", "matchCriteriaId": "C650FEDB-E903-4C2D-AD40-282AB5F2E3C2", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_deposits_and_lines_of_credit_servicing:2.7:*:*:*:*:*:*:*", "matchCriteriaId": "ED63D221-31FA-480F-802F-844334F429F5", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "C542DC5E-6657-4178-9C69-46FD3C187D56", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_asap:7.3:*:*:*:*:*:*:*", "matchCriteriaId": "3141B86F-838D-491A-A8ED-3B7C54EA89C1", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "02712DD6-D944-4452-8015-000B9851D257", "versionEndExcluding": "9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "274BCA96-2E6A-4B77-B69E-E2093A668D28", "versionEndExcluding": "9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "8D4B738B-08CF-44F6-A939-39F5BEAF03B2", "versionEndExcluding": "9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", "matchCriteriaId": "E4A07A20-CDE7-40A8-B24A-D4181C4398A0", "versionEndIncluding": "8.0.9.0", "versionStartIncluding": "8.0.6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", "matchCriteriaId": "83DEEFFB-058D-4ABD-9083-AF70772D7010", "versionEndExcluding": "8.1.2.0", "versionStartIncluding": "8.1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "147A4225-A2D5-4AA1-96D1-6D95A192B596", "versionEndIncluding": "8.0.8.0", "versionStartIncluding": "8.0.6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "A4B3A10E-70A8-4332-8567-06AE2C45D3C6", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "059F0D4E-B007-4986-AB95-89F11147CB2B", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "6CAC78AD-86BB-4F06-B8CF-8E1329987F2F", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "55F091C7-0869-4FD6-AC73-DA697D990304", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "4D134C60-F9E2-46C2-8466-DB90AD98439E", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.1:*:*:*:*:*:*:*", "matchCriteriaId": "C64D669C-513E-4C53-8BB8-13EB336CDC3A", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "18E7AC20-F70C-4A92-817D-94CE9FB3EB0D", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F6394E90-2F2C-4955-9F97-BFED76D4333B", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.1:*:*:*:*:*:*:*", "matchCriteriaId": "5B5DC0C1-789B-4126-8C6D-DEDE83AA2D2E", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "44563108-AD89-49A0-9FA5-7DE5A5601D2C", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "FCA5DC3F-E7D8-45E3-8114-2213EC631CDF", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:flexcube_universal_banking:12.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "F3D55FB5-8ED8-4797-B5BC-545477AF7347", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "EE85204F-614D-4EF1-ABEB-B3CD381C2CB0", "versionEndExcluding": "13.9.4.2.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:13.9.4.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "5A6FFB5C-EB44-499F-BE81-24ED2B1F201A", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*", "matchCriteriaId": "8F0728F8-14D0-4282-9CA7-EFCD68EE77AF", "versionEndExcluding": "12.2.0.1.30", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:health_sciences_information_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "D450B848-371E-4401-9DB0-27AF31B5D5EA", "versionEndIncluding": "3.0.5", "versionStartIncluding": "3.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:health_sciences_information_manager:3.0.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "4BE4F581-7DEF-4417-A55D-561BDAC5CA7C", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:ilearning:6.2:*:*:*:*:*:*:*", "matchCriteriaId": "D361A9A8-15B0-4527-868B-80998772F2AB", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:ilearning:6.3:*:*:*:*:*:*:*", "matchCriteriaId": "4A667A37-59EB-4539-ADCA-D5F789DB6744", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", "matchCriteriaId": "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*", "matchCriteriaId": "C8AF00C6-B97F-414D-A8DF-057E6BFD8597", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "A6300315-7816-4F4E-A1C3-99EF5984B94A", "versionEndIncluding": "17.12.11", "versionStartIncluding": "17.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "F04DF183-EBCB-456E-90F9-A8500E6E32B7", "versionEndIncluding": "18.8.14", "versionStartIncluding": "18.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "8D30B0D1-4466-4601-8822-CE8ADBB381FB", "versionEndIncluding": "19.12.13", "versionStartIncluding": "19.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "0E362FE6-A387-4DFB-ADD7-FB4BAE9DE7CB", "versionEndIncluding": "20.12.8", "versionStartIncluding": "20.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:product_lifecycle_analytics:3.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "7F978162-CB2C-4166-947A-9048C6E878BC", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_bulk_data_integration:16.0.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "360B307A-3D7F-4B38-8248-76CF8318B023", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_extract_transform_and_load:13.2.8:*:*:*:*:*:*:*", "matchCriteriaId": "31FFE404-027E-4B59-B3EF-BD20E1F7EECC", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_financial_integration:14.1.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "798E4FEE-9B2B-436E-A2B3-B8AA1079892A", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_financial_integration:15.0.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "CB86F6C3-981E-4ECA-A5EB-9A9CD73D70C9", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_financial_integration:16.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "6B042849-7EF5-4A5F-B6CD-712C0B8735BF", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_financial_integration:19.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "7435071D-0C95-4686-A978-AFC4C9A0D0FE", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_integration_bus:14.1.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "8CFCE558-9972-46A2-8539-C16044F1BAA9", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_integration_bus:15.0.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "A1194C4E-CF42-4B4D-BA9A-40FDD28F1D58", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_integration_bus:16.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "822A3C37-86F2-4E91-BE91-2A859F983941", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_integration_bus:19.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "BD311C33-A309-44D5-BBFB-539D72C7F8C4", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "F8383028-B719-41FD-9B6A-71F8EB4C5F8D", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_merchandising_system:19.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "AE1BC44A-F0AF-41CD-9CEB-B07AB5ADAB38", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_service_backbone:14.1.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "E702EBED-DB39-4084-84B1-258BC5FE7545", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_service_backbone:15.0.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "3F7956BF-D5B6-484B-999C-36B45CD8B75B", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_service_backbone:16.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "DEE71EA5-B315-4F1E-BFEE-EC426B562F7E", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_service_backbone:19.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "9DA6B655-A445-42E5-B6D9-70AB1C04774A", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "F14A818F-AA16-4438-A3E4-E64C9287AC66", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "4A5BB153-68E0-4DDA-87D1-0D9AB7F0A418", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "04BCDC24-4A21-473C-8733-0D9CFB38A752", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", "matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions."}, {"lang": "es", "value": "Se presenta una vulnerabilidad en el analizador XML de Apache Xerces Java (XercesJ) cuando maneja cargas \u00fatiles de documentos XML especialmente dise\u00f1ados. Esto causa que el analizador XML de XercesJ espere en un bucle infinito, lo que a veces puede consumir recursos del sistema durante un tiempo prolongado. Esta vulnerabilidad est\u00e1 presente en XercesJ versi\u00f3n 2.12.1, y en versiones anteriores"}], "id": "CVE-2022-23437", "lastModified": "2024-11-21T06:48:33.283", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.1, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-24T15:15:09.317", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/01/24/3"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20221028-0005/"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/01/24/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20221028-0005/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-835"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Upstream acknowledges Sergey Temnikov (Amazon Corretto) and Ziyi Luo (Amazon Corretto) as the original reporters.", "affected_release": [{"advisory": "RHSA-2022:4922", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package": "xerces-j2", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2022-06-06T00:00:00Z"}, {"advisory": "RHSA-2022:4919", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-xerces-j2-0:2.12.0-3.SP04_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2022-06-06T00:00:00Z"}, {"advisory": "RHSA-2022:4918", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-xerces-j2-0:2.12.0-3.SP04_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2022-06-06T00:00:00Z"}, {"advisory": "RHSA-2022:6813", "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13", "package": "xercesimpl", "product_name": "RHPAM 7.13.1 async", "release_date": "2022-10-05T00:00:00Z"}], "bugzilla": {"description": "xerces-j2: infinite loop when handling specially crafted XML document payloads", "id": "2047200", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2047200"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-835", "details": ["There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.", "A flaw was found in the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This issue causes the XercesJ XML parser to wait in an infinite loop, which may consume system resources for a prolonged duration, leading to a denial of service condition."], "name": "CVE-2022-23437", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "xerces-j2", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "xerces-j2", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "pki-deps:10.6/xerces-j2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "xerces-j2", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "xerces-j2-eap6", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3", "fix_state": "Not affected", "package_name": "xerces-j2", "product_name": "Red Hat JBoss Web Server 3"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-maven36-xerces-j2", "product_name": "Red Hat Software Collections"}], "public_date": "2022-01-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-23437\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-23437"], "threat_severity": "Moderate", "upstream_fix": "xerces-j2 2.12.2"}