github-actions[bot]
commented
3 years ago Thank you for opening an issue. If this issue is related to a bug, please follow the steps and provide the information outlined in the Troubleshooting Guide. Failure to follow these instructions may result in automatic closing of this issue.
CVE-2009-2625 - Medium Severity Vulnerability
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Path to dependency file: object-mappers-playground/modules/objectmappers-smooks/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.9.1/xercesImpl-2.9.1.jar,/home/wss-scanner/.m2/repository/xerces/xercesImpl/2.9.1/xercesImpl-2.9.1.jar
Dependency Hierarchy: - milyn-smooks-all-1.7.1.jar (Root Library) - milyn-commons-1.7.1.jar - :x: **xercesImpl-2.9.1.jar** (Vulnerable Library)
Found in HEAD commit: daa5990f72665f9128c20be6c440020560dc732e
XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
Publish Date: 2009-08-06
URL: CVE-2009-2625
Base Score Metrics not available
Type: Upgrade version
Origin: http://www.securitytracker.com/id?1022680
Release Date: 2017-12-31
Fix Resolution: The vendor has issued a fix for Windows, Solaris, and Linux: * JDK and JRE 6 Update 15 or later * JDK and JRE 5.0 Update 20 or later Java SE releases are available at: JDK and JRE 6 Update 15: http://java.sun.com/javase/downloads/index.jsp JRE 6 Update 15: http://java.com/ through the Java Update tool for Microsoft Windows users. JDK 6 Update 15 for Solaris is available in the following patches: * Java SE 6 Update 15 (as delivered in patch 125136-16) * Java SE 6 Update 15 (as delivered in patch 125137-16 (64bit)) * Java SE 6_x86 Update 15 (as delivered in patch 125138-16) * Java SE 6_x86 Update 15 (as delivered in patch 125139-16 (64bit)) JDK and JRE 5.0 Update 20: http://java.sun.com/javase/downloads/index_jdk5.jsp JDK 5.0 Update 20 for Solaris is available in the following patches: * J2SE 5.0 Update 18 (as delivered in patch 118666-21) * J2SE 5.0 Update 18 (as delivered in patch 118667-21 (64bit)) * J2SE 5.0_x86 Update 18 (as delivered in patch 118668-21) * J2SE 5.0_x86 Update 18 (as delivered in patch 118669-21 (64bit)) Java SE for Business releases are available at: http://www.sun.com/software/javaseforbusiness/getit_download.jsp Note: When installing a new version of the product from a source other than a Solaris patch, it is recommended that the old affected versions be removed from your system. To remove old affected versions on the Windows platform, please see: http://www.java.com/en/download/help/5000010800.xml The vendor's advisory is available at: http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1
Step up your Open Source Security Game with WhiteSource here