CVE-2022-23437 — Infinite Loop in Apache Xerces Java

Description

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

How to fix CVE-2022-23437

To remediate CVE-2022-23437, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 2.12.2 or later

Is CVE-2022-23437 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
from 0, < 2.12.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-23437
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-23437
PATCHgithub.com/jboss/xerces
WEBlists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl
WEB