Lucene search

K

[email protected]NVD:CVE-2019-12400

HistoryAug 23, 2019 - 9:15 p.m.

CVE-2019-12400

2019-08-2321:15:11

CWE-20

[email protected]

web.nvd.nist.gov

1

1.9 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:M/Au:N/C:N/I:P/A:N

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

6.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

50.5%

In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x releases before 2.1.4.

Affected configurations

NVD

Node

apachesantuario_xml_security_for_javaRange2.0.3–2.0.10

OR

apachesantuario_xml_security_for_javaRange2.1.0–2.1.4

Node

redhatjboss_enterprise_application_platformMatch7.2

Node

oracleweblogic_serverMatch12.2.1.4.0

OR

oracleweblogic_serverMatch14.1.1.0.0

References

santuario.apache.org/secadv.data/CVE-2019-12400.asc?version=1&modificationDate=1566573083000&api=v2

access.redhat.com/errata/RHSA-2020:0804

access.redhat.com/errata/RHSA-2020:0805

access.redhat.com/errata/RHSA-2020:0806

access.redhat.com/errata/RHSA-2020:0811

lists.apache.org/thread.html/8e814b925bf580bc527d96ff51e72ffe5bdeaa4b8bf5b89498cab24c%40%3Cdev.santuario.apache.org%3E

lists.apache.org/thread.html/edaa7edb9c58e5f5bd0c950f2b6232b62b15f5c44ad803e8728308ce%40%3Cdev.santuario.apache.org%3E

lists.apache.org/thread.html/r107bffb06a5e27457fe9af7dfe3a233d0d36c6c2f5122f117eb7f626%40%3Ccommits.tomee.apache.org%3E

lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E

lists.apache.org/thread.html/rcdc0da94fe21b26493eae47ca987a290bdf90c721a7a42491fdd41d4%40%3Ccommits.tomee.apache.org%3E

lists.apache.org/thread.html/rf82be0a7c98cd3545e20817bb96ed05551ea0020acbaf9a469fef402%40%3Ccommits.tomee.apache.org%3E

lists.apache.org/thread.html/rf958cea96236de8829940109ae07e870aa3d59235345421e4924ff03%40%3Ccommits.tomee.apache.org%3E

security.netapp.com/advisory/ntap-20190910-0003/

www.oracle.com/security-alerts/cpuoct2021.html

1.9 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:M/Au:N/C:N/I:P/A:N

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

6.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

50.5%

Related for NVD:CVE-2019-12400

osv2 ubuntucve1 ibm3 redhatcve1 prion1 cvelist1 cve1 github1 veracode1 debiancve1 redhat7 nessus4 oracle1