chore(deps): update dependency xerces:xercesimpl to v2.12.2 [security]

[gjed]

This PR contains the following updates:

Package	Change	Age	Confidence
xerces:xercesImpl (source)	2.9.1-patch-01 → 2.12.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Denial of service in Apache Xerces2

CVE-2012-0881 / GHSA-vmqm-g3vh-847m

More information

Details

Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2012-0881
• https://github.com/apache/xerces2-j/commit/992b5d9c24102ad20330d36c0a71162753a37449
• https://bugzilla.redhat.com/show_bug.cgi?id=787104
• https://issues.apache.org/jira/browse/XERCESJ-1685
• https://lists.apache.org/thread.html/49dc6702104a86ecbb40292dcd329ce9ae4c32b74733199ecab14a73@​%3Cj-users.xerces.apache.org%3E
• https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
• https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@​%3Csolr-user.lucene.apache.org%3E
• https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@​%3Cdev.drill.apache.org%3E
• https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
• https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@​%3Csolr-user.lucene.apache.org%3E
• https://lists.apache.org/thread.html/rea7b831dceeb2a2fa817be6f63b08722042e3647fb2d47c144370a56@​%3Ccommon-issues.hadoop.apache.org%3E
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://lists.apache.org/thread.html/49dc6702104a86ecbb40292dcd329ce9ae4c32b74733199ecab14a73%40%3Cj-users.xerces.apache.org%3E
• https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
• https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
• https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
• https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
• https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E
• https://lists.apache.org/thread.html/rea7b831dceeb2a2fa817be6f63b08722042e3647fb2d47c144370a56%40%3Ccommon-issues.hadoop.apache.org%3E
• https://www.openwall.com/lists/oss-security/2014/07/08/11
• https://github.com/advisories/GHSA-vmqm-g3vh-847m

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Denial of service in Apache Xerces2

CVE-2009-2625 / GHSA-334p-wv2m-w3vp

More information

Details

XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.

Severity

Medium

References

• https://nvd.nist.gov/vuln/detail/CVE-2009-2625
• https://github.com/apache/xerces2-j/commit/0bdf77af1d4fd26ec2e630fb6d12e2dfa77bc12b
• https://bugzilla.redhat.com/show_bug.cgi?id=512921
• https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@​%3Csolr-user.lucene.apache.org%3E
• https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8520
• https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9356
• https://rhn.redhat.com/errata/RHSA-2009-1199.html
• https://rhn.redhat.com/errata/RHSA-2009-1200.html
• https://rhn.redhat.com/errata/RHSA-2009-1201.html
• https://rhn.redhat.com/errata/RHSA-2009-1636.html
• https://rhn.redhat.com/errata/RHSA-2009-1637.html
• https://rhn.redhat.com/errata/RHSA-2009-1649.html
• https://rhn.redhat.com/errata/RHSA-2009-1650.html
• https://snyk.io/vuln/SNYK-JAVA-XERCES-32014
• https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html
• https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html
• http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html
• http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html
• http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
• http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html
• http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html
• http://marc.info/?l=bugtraq&m=125787273209737&w=2
• http://rhn.redhat.com/errata/RHSA-2012-1232.html
• http://rhn.redhat.com/errata/RHSA-2012-1537.html
• http://secunia.com/advisories/36162
• http://secunia.com/advisories/36176
• http://secunia.com/advisories/36180
• http://secunia.com/advisories/36199
• http://secunia.com/advisories/37300
• http://secunia.com/advisories/37460
• http://secunia.com/advisories/37671
• http://secunia.com/advisories/37754
• http://secunia.com/advisories/38231
• http://secunia.com/advisories/38342
• http://secunia.com/advisories/43300
• http://secunia.com/advisories/50549
• http://slackware.com/security/viewer.php?l=slackware-security&y=2011&m=slackware-security.486026
• http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1
• http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1
• http://sunsolve.sun.com/search/document.do?assetkey=1-66-272209-1
• http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021506.1-1
• http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=572055&r2=787352&pathrev=787353&diff_format=h
• http://www.cert.fi/en/reports/2009/vulnerability2009085.html
• http://www.codenomicon.com/labs/xml/
• http://www.debian.org/security/2010/dsa-1984
• http://www.mandriva.com/security/advisories?name=MDVSA-2009:209
• http://www.mandriva.com/security/advisories?name=MDVSA-2011:108
• http://www.networkworld.com/columnists/2009/080509-xml-flaw.html
• http://www.openwall.com/lists/oss-security/2009/09/06/1
• http://www.openwall.com/lists/oss-security/2009/10/22/9
• http://www.openwall.com/lists/oss-security/2009/10/23/6
• http://www.openwall.com/lists/oss-security/2009/10/26/3
• http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html
• http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html
• http://www.redhat.com/support/errata/RHSA-2009-1615.html
• http://www.redhat.com/support/errata/RHSA-2011-0858.html
• http://www.securityfocus.com/archive/1/507985/100/0/threaded
• http://www.securityfocus.com/bid/35958
• http://www.securitytracker.com/id?1022680
• http://www.ubuntu.com/usn/USN-890-1
• http://www.us-cert.gov/cas/techalerts/TA09-294A.html
• http://www.us-cert.gov/cas/techalerts/TA10-012A.html
• http://www.vmware.com/security/advisories/VMSA-2009-0016.html
• http://www.vupen.com/english/advisories/2009/2543
• http://www.vupen.com/english/advisories/2009/3316
• http://www.vupen.com/english/advisories/2011/0359
• https://github.com/advisories/GHSA-334p-wv2m-w3vp

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Infinite Loop in Apache Xerces Java

CVE-2022-23437 / GHSA-h65f-jvqw-m9fj

More information

Details

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-23437
• https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl
• http://www.openwall.com/lists/oss-security/2022/01/24/3
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://security.netapp.com/advisory/ntap-20221028-0005/
• https://github.com/advisories/GHSA-h65f-jvqw-m9fj

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Missing XML Validation in Apache Xerces2

CVE-2013-4002 / GHSA-7j4h-8wpf-rqfh

More information

Details

XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.

Severity

High

References

• https://nvd.nist.gov/vuln/detail/CVE-2013-4002
• https://access.redhat.com/errata/RHSA-2014:0414
• https://exchange.xforce.ibmcloud.com/vulnerabilities/85260
• https://issues.apache.org/jira/browse/XERCESJ-1679
• https://lists.apache.org/thread.html/49dc6702104a86ecbb40292dcd329ce9ae4c32b74733199ecab14a73@​%3Cj-users.xerces.apache.org%3E
• https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@​%3Csolr-user.lucene.apache.org%3E
• https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@​%3Csolr-user.lucene.apache.org%3E
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html
• http://lists.apple.com/archives/security-announce/2013/Oct/msg00001.html
• http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00026.html
• http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00027.html
• http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00028.html
• http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00029.html
• http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00000.html
• http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00003.html
• http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00010.html
• http://lists.opensuse.org/opensuse-updates/2013-11/msg00023.html
• http://marc.info/?l=bugtraq&m=138674031212883&w=2
• http://marc.info/?l=bugtraq&m=138674073720143&w=2
• http://rhn.redhat.com/errata/RHSA-2013-1059.html
• http://rhn.redhat.com/errata/RHSA-2013-1060.html
• http://rhn.redhat.com/errata/RHSA-2013-1081.html
• http://rhn.redhat.com/errata/RHSA-2013-1440.html
• http://rhn.redhat.com/errata/RHSA-2013-1447.html
• http://rhn.redhat.com/errata/RHSA-2013-1451.html
• http://rhn.redhat.com/errata/RHSA-2013-1505.html
• http://rhn.redhat.com/errata/RHSA-2014-1818.html
• http://rhn.redhat.com/errata/RHSA-2014-1821.html
• http://rhn.redhat.com/errata/RHSA-2014-1822.html
• http://rhn.redhat.com/errata/RHSA-2014-1823.html
• http://rhn.redhat.com/errata/RHSA-2015-0675.html
• http://rhn.redhat.com/errata/RHSA-2015-0720.html
• http://rhn.redhat.com/errata/RHSA-2015-0765.html
• http://rhn.redhat.com/errata/RHSA-2015-0773.html
• http://security.gentoo.org/glsa/glsa-201406-32.xml
• http://support.apple.com/kb/HT5982
• http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=965250&r2=1499506&view=patch
• http://www-01.ibm.com/support/docview.wss?uid=swg1IC98015
• http://www-01.ibm.com/support/docview.wss?uid=swg21644197
• http://www-01.ibm.com/support/docview.wss?uid=swg21653371
• http://www-01.ibm.com/support/docview.wss?uid=swg21657539
• http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS13-025/index.html
• http://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_filenet_content_manager_and_ibm_content_foundation_xml_4j_denial_of_service_attack_cve_2013_4002
• http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_July_2013
• http://www.ibm.com/support/docview.wss?uid=swg21648172
• http://www.ubuntu.com/usn/USN-2033-1
• http://www.ubuntu.com/usn/USN-2089-1
• https://github.com/apache/xerces2-j/commit/266e837852e0f0e3c8c1ad572b6fc4dbb4ded17
• https://github.com/advisories/GHSA-7j4h-8wpf-rqfh

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Improper Input Validation in Xerces

CVE-2020-14338 / GHSA-w4jq-qh47-hvjq

More information

Details

A flaw was found in Wildfly's implementation of Xerces, specifically in the way the XMLSchemaValidator class in the JAXP component of Wildfly enforced the "use-grammar-pool-only" feature. This flaw allows a specially-crafted XML file to manipulate the validation process in certain cases. This issue is the same flaw as CVE-2020-14621, which affected OpenJDK, and uses a similar code. All xerces jboss versions before 2.12.0.SP3.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-14338
• https://bugzilla.redhat.com/show_bug.cgi?id=1860054
• https://lists.apache.org/thread.html/rf96c5afb26b596b4b97883aa90b6c0b0fc4c26aaeea7123c21912103@​%3Cj-users.xerces.apache.org%3E
• https://github.com/advisories/GHSA-w4jq-qh47-hvjq

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Configuration

📅 Schedule: (in timezone Europe/Rome)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.