Vulnerability Details CVE-2019-12400
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x releases before 2.1.4.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 58.1%
CVSS Severity
CVSS v3 Score 5.5
CVSS v2 Score 1.9
References
- http://santuario.apache.org/secadv.data/CVE-2019-12400.asc?version=1&modificationDate=1566573083000&api=v2
- https://access.redhat.com/errata/RHSA-2020:0804
- https://access.redhat.com/errata/RHSA-2020:0805
- https://access.redhat.com/errata/RHSA-2020:0806
- https://access.redhat.com/errata/RHSA-2020:0811
- https://lists.apache.org/thread.html/8e814b925bf580bc527d96ff51e72ffe5bdeaa4b8bf5b89498cab24c%40%3Cdev.santuario.apache.org%3E
- https://lists.apache.org/thread.html/edaa7edb9c58e5f5bd0c950f2b6232b62b15f5c44ad803e8728308ce%40%3Cdev.santuario.apache.org%3E
- https://lists.apache.org/thread.html/r107bffb06a5e27457fe9af7dfe3a233d0d36c6c2f5122f117eb7f626%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E
- https://lists.apache.org/thread.html/rcdc0da94fe21b26493eae47ca987a290bdf90c721a7a42491fdd41d4%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rf82be0a7c98cd3545e20817bb96ed05551ea0020acbaf9a469fef402%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rf958cea96236de8829940109ae07e870aa3d59235345421e4924ff03%40%3Ccommits.tomee.apache.org%3E
- https://security.netapp.com/advisory/ntap-20190910-0003/
- https://www.oracle.com/security-alerts/cpuoct2021.html
- http://santuario.apache.org/secadv.data/CVE-2019-12400.asc?version=1&modificationDate=1566573083000&api=v2
- https://access.redhat.com/errata/RHSA-2020:0804
- https://access.redhat.com/errata/RHSA-2020:0805
- https://access.redhat.com/errata/RHSA-2020:0806
- https://access.redhat.com/errata/RHSA-2020:0811
- https://lists.apache.org/thread.html/8e814b925bf580bc527d96ff51e72ffe5bdeaa4b8bf5b89498cab24c%40%3Cdev.santuario.apache.org%3E
- https://lists.apache.org/thread.html/edaa7edb9c58e5f5bd0c950f2b6232b62b15f5c44ad803e8728308ce%40%3Cdev.santuario.apache.org%3E
- https://lists.apache.org/thread.html/r107bffb06a5e27457fe9af7dfe3a233d0d36c6c2f5122f117eb7f626%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E
- https://lists.apache.org/thread.html/rcdc0da94fe21b26493eae47ca987a290bdf90c721a7a42491fdd41d4%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rf82be0a7c98cd3545e20817bb96ed05551ea0020acbaf9a469fef402%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rf958cea96236de8829940109ae07e870aa3d59235345421e4924ff03%40%3Ccommits.tomee.apache.org%3E
- https://security.netapp.com/advisory/ntap-20190910-0003/
- https://www.oracle.com/security-alerts/cpuoct2021.html
Products affected by CVE-2019-12400
-
cpe:2.3:a:apache:santuario_xml_security_for_java:2.0.10
-
cpe:2.3:a:apache:santuario_xml_security_for_java:2.0.3
-
cpe:2.3:a:apache:santuario_xml_security_for_java:2.0.4
-
cpe:2.3:a:apache:santuario_xml_security_for_java:2.0.5
-
cpe:2.3:a:apache:santuario_xml_security_for_java:2.0.9
-
cpe:2.3:a:apache:santuario_xml_security_for_java:2.1.0
-
cpe:2.3:a:apache:santuario_xml_security_for_java:2.1.1
-
cpe:2.3:a:apache:santuario_xml_security_for_java:2.1.2
-
cpe:2.3:a:apache:santuario_xml_security_for_java:2.1.3
-
cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0
-
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0
-
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2