CVE-2022-23437

NameCVE-2022-23437
DescriptionThere's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1016975

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libxerces2-java (PTS)jessie, stretch2.11.0-7vulnerable
buster2.12.0-1vulnerable
bullseye2.12.1-1vulnerable
sid, trixie, bookworm2.12.2-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libxerces2-javasource(unstable)(unfixed)1016975

Notes

[bookworm] - libxerces2-java <postponed> (revisit when/if fix is complete)
[bullseye] - libxerces2-java <postponed> (revisit when/if fix is complete)
[buster] - libxerces2-java <postponed> (revisit when/if fix is complete)
[stretch] - libxerces2-java <postponed> (revisit when/if fix is complete)
https://www.openwall.com/lists/oss-security/2022/01/24/3
[jessie] - libxerces2-java <postponed> (revisit when/if fix is complete)
Search for package or bug name: Reporting problems