CVE - CVE-2019-12400

CVE-ID
CVE-2019-12400	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x releases before 2.1.4.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CONFIRM:http://santuario.apache.org/secadv.data/CVE-2019-12400.asc?version=1&modificationDate=1566573083000&api=v2 URL:http://santuario.apache.org/secadv.data/CVE-2019-12400.asc?version=1&modificationDate=1566573083000&api=v2 CONFIRM:https://security.netapp.com/advisory/ntap-20190910-0003/ URL:https://security.netapp.com/advisory/ntap-20190910-0003/ MISC:https://www.oracle.com/security-alerts/cpuoct2021.html URL:https://www.oracle.com/security-alerts/cpuoct2021.html MLIST:[santuario-commits] 20210917 svn commit: r1076843 - in /websites/production/santuario/content: cache/main.pageCache index.html javaindex.html secadv.data/CVE-2021-40690.txt.asc secadv.html URL:https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd@%3Ccommits.santuario.apache.org%3E MLIST:[santuario-dev] 20190905 Re: [CVE-2019-12400] Apache Santuario potentially loads XML parsing code from an untrusted source URL:https://lists.apache.org/thread.html/8e814b925bf580bc527d96ff51e72ffe5bdeaa4b8bf5b89498cab24c@%3Cdev.santuario.apache.org%3E MLIST:[santuario-dev] 20190906 Re: [CVE-2019-12400] Apache Santuario potentially loads XML parsing code from an untrusted source URL:https://lists.apache.org/thread.html/edaa7edb9c58e5f5bd0c950f2b6232b62b15f5c44ad803e8728308ce@%3Cdev.santuario.apache.org%3E MLIST:[tomee-commits] 20200324 [jira] [Created] (TOMEE-2791) TomEE plus(7.0.7) is affected by CVE-2019-12400 vulnerability URL:https://lists.apache.org/thread.html/rcdc0da94fe21b26493eae47ca987a290bdf90c721a7a42491fdd41d4@%3Ccommits.tomee.apache.org%3E MLIST:[tomee-commits] 20200720 [jira] [Assigned] (TOMEE-2885) Update Apache XML Security for Java to mitigate CVE-2019-12400 URL:https://lists.apache.org/thread.html/r107bffb06a5e27457fe9af7dfe3a233d0d36c6c2f5122f117eb7f626@%3Ccommits.tomee.apache.org%3E MLIST:[tomee-commits] 20200720 [jira] [Commented] (TOMEE-2885) Update Apache XML Security for Java to mitigate CVE-2019-12400 URL:https://lists.apache.org/thread.html/rf958cea96236de8829940109ae07e870aa3d59235345421e4924ff03@%3Ccommits.tomee.apache.org%3E MLIST:[tomee-commits] 20200720 [jira] [Created] (TOMEE-2885) Update Apache XML Security for Java to mitigate CVE-2019-12400 URL:https://lists.apache.org/thread.html/rf82be0a7c98cd3545e20817bb96ed05551ea0020acbaf9a469fef402@%3Ccommits.tomee.apache.org%3E REDHAT:RHSA-2020:0804 URL:https://access.redhat.com/errata/RHSA-2020:0804 REDHAT:RHSA-2020:0805 URL:https://access.redhat.com/errata/RHSA-2020:0805 REDHAT:RHSA-2020:0806 URL:https://access.redhat.com/errata/RHSA-2020:0806 REDHAT:RHSA-2020:0811 URL:https://access.redhat.com/errata/RHSA-2020:0811
Assigning CNA
Apache Software Foundation
Date Record Created
20190528	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20190528)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)