Vulnerability in Apache Xerces-j
CVE-2022-23437
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources…
EPSS: 0.044 (90.2th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 6.5 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H.
Affected products
- Apache Xerces-j
- Apache Software Foundation Xerces — versions Apache XercesJ
- Netapp Active_iq_unified_manager
- Oracle Agile_engineering_data_management — versions 6.2.1.0
- Oracle Agile_plm — versions 9.3.6
- Oracle Banking_deposits_and_lines_of_credit_servicing — versions 2.7
- Oracle Banking_party_management — versions 2.7.0
- Oracle Communications_asap — versions 7.3
- Oracle Communications_element_manager
- Oracle Communications_session_report_manager
Weakness classification (CWE)
Public proof-of-concept exploits
References
- security@apache.org (Mailing List, Vendor Advisory)
- security@apache.org (mailing-list, Mailing List, Third Party Advisory)
- security@apache.org (Patch, Third Party Advisory)
- security@apache.org (Patch, Third Party Advisory)
- security@apache.org (Third Party Advisory)
Frequently asked questions
- What is CVE-2022-23437?
- CVE-2022-23437 is a medium-severity vulnerability in Apache Xerces-j, classified under Loop with Unreachable Exit Condition (Infinite Loop). CVSS score: 6.5/10. Published 2022-01-24.
- How severe is CVE-2022-23437?
- Medium severity. CVSS v3 base score is 6.5 out of 10.
- Is CVE-2022-23437 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.