{ "data_type": "CVE", "data_format": "MITRE", "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2019-12400", "ASSIGNER": "security@apache.org", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "vendor_name": "Apache", "product": { "product_data": [ { "product_name": "Apache Santuario - XML Security for Java", "version": { "version_data": [ { "version_value": "All 2.0.x releases from 2.0.3" }, { "version_value": "all 2.1.x releases before 2.1.4." } ] } } ] } } ] } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Process Control" } ] } ] }, "references": { "reference_data": [ { "refsource": "CONFIRM", "name": "http://santuario.apache.org/secadv.data/CVE-2019-12400.asc?version=1&modificationDate=1566573083000&api=v2", "url": "http://santuario.apache.org/secadv.data/CVE-2019-12400.asc?version=1&modificationDate=1566573083000&api=v2" }, { "refsource": "MLIST", "name": "[santuario-dev] 20190905 Re: [CVE-2019-12400] Apache Santuario potentially loads XML parsing code from an untrusted source", "url": "https://lists.apache.org/thread.html/8e814b925bf580bc527d96ff51e72ffe5bdeaa4b8bf5b89498cab24c@%3Cdev.santuario.apache.org%3E" }, { "refsource": "MLIST", "name": "[santuario-dev] 20190906 Re: [CVE-2019-12400] Apache Santuario potentially loads XML parsing code from an untrusted source", "url": "https://lists.apache.org/thread.html/edaa7edb9c58e5f5bd0c950f2b6232b62b15f5c44ad803e8728308ce@%3Cdev.santuario.apache.org%3E" }, { "refsource": "CONFIRM", "name": "https://security.netapp.com/advisory/ntap-20190910-0003/", "url": "https://security.netapp.com/advisory/ntap-20190910-0003/" }, { "refsource": "REDHAT", "name": "RHSA-2020:0806", "url": "https://access.redhat.com/errata/RHSA-2020:0806" }, { "refsource": "REDHAT", "name": "RHSA-2020:0811", "url": "https://access.redhat.com/errata/RHSA-2020:0811" }, { "refsource": "REDHAT", "name": "RHSA-2020:0804", "url": "https://access.redhat.com/errata/RHSA-2020:0804" }, { "refsource": "REDHAT", "name": "RHSA-2020:0805", "url": "https://access.redhat.com/errata/RHSA-2020:0805" }, { "refsource": "MLIST", "name": "[tomee-commits] 20200324 [jira] [Created] (TOMEE-2791) TomEE plus(7.0.7) is affected by CVE-2019-12400 vulnerability", "url": "https://lists.apache.org/thread.html/rcdc0da94fe21b26493eae47ca987a290bdf90c721a7a42491fdd41d4@%3Ccommits.tomee.apache.org%3E" } ] }, "description": { "description_data": [ { "lang": "eng", "value": "In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x releases before 2.1.4." } ] } }