Open mend-bolt-for-github[bot] opened 3 years ago
Thank you for opening an issue. If this issue is related to a bug, please follow the steps and provide the information outlined in the Troubleshooting Guide. Failure to follow these instructions may result in automatic closing of this issue.
CVE-2009-2625 - Medium Severity Vulnerability
Vulnerable Library - xercesImpl-2.9.1.jar
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Path to dependency file: object-mappers-playground/modules/objectmappers-smooks/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.9.1/xercesImpl-2.9.1.jar,/home/wss-scanner/.m2/repository/xerces/xercesImpl/2.9.1/xercesImpl-2.9.1.jar
Dependency Hierarchy: - milyn-smooks-all-1.7.1.jar (Root Library) - milyn-commons-1.7.1.jar - :x: **xercesImpl-2.9.1.jar** (Vulnerable Library)
Found in HEAD commit: daa5990f72665f9128c20be6c440020560dc732e
Vulnerability Details
XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
Publish Date: 2009-08-06
URL: CVE-2009-2625
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: http://www.securitytracker.com/id?1022680
Release Date: 2017-12-31
Fix Resolution: The vendor has issued a fix for Windows, Solaris, and Linux: * JDK and JRE 6 Update 15 or later * JDK and JRE 5.0 Update 20 or later Java SE releases are available at: JDK and JRE 6 Update 15: http://java.sun.com/javase/downloads/index.jsp JRE 6 Update 15: http://java.com/ through the Java Update tool for Microsoft Windows users. JDK 6 Update 15 for Solaris is available in the following patches: * Java SE 6 Update 15 (as delivered in patch 125136-16) * Java SE 6 Update 15 (as delivered in patch 125137-16 (64bit)) * Java SE 6_x86 Update 15 (as delivered in patch 125138-16) * Java SE 6_x86 Update 15 (as delivered in patch 125139-16 (64bit)) JDK and JRE 5.0 Update 20: http://java.sun.com/javase/downloads/index_jdk5.jsp JDK 5.0 Update 20 for Solaris is available in the following patches: * J2SE 5.0 Update 18 (as delivered in patch 118666-21) * J2SE 5.0 Update 18 (as delivered in patch 118667-21 (64bit)) * J2SE 5.0_x86 Update 18 (as delivered in patch 118668-21) * J2SE 5.0_x86 Update 18 (as delivered in patch 118669-21 (64bit)) Java SE for Business releases are available at: http://www.sun.com/software/javaseforbusiness/getit_download.jsp Note: When installing a new version of the product from a source other than a Solaris patch, it is recommended that the old affected versions be removed from your system. To remove old affected versions on the Windows platform, please see: http://www.java.com/en/download/help/5000010800.xml The vendor's advisory is available at: http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1
Step up your Open Source Security Game with WhiteSource here