Closed mend-bolt-for-github[bot] closed 2 years ago
:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
CVE-2009-2625 - Medium Severity Vulnerability
Vulnerable Library - xercesImpl-2.8.1.jar
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Library home page: http://xerces.apache.org/xerces2-j/
Path to dependency file: WinterEE/WinterEE-API/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar,/home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar,/home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar,/home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar,/home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar,/home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar,/home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar
Dependency Hierarchy: - jacoco-maven-plugin-0.8.6.jar (Root Library) - maven-reporting-impl-2.1.jar - doxia-core-1.1.2.jar - :x: **xercesImpl-2.8.1.jar** (Vulnerable Library)
Found in HEAD commit: 9d57f3481f4a0f678edb6631b7924d697b67b48b
Found in base branch: master
Vulnerability Details
XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
Publish Date: 2009-08-06
URL: CVE-2009-2625
CVSS 3 Score Details (5.5)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: N/A - Attack Complexity: N/A - Privileges Required: N/A - User Interaction: N/A - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: http://www.securitytracker.com/id?1022680
Release Date: 2017-12-31
Fix Resolution: The vendor has issued a fix for Windows, Solaris, and Linux: * JDK and JRE 6 Update 15 or later * JDK and JRE 5.0 Update 20 or later Java SE releases are available at: JDK and JRE 6 Update 15: http://java.sun.com/javase/downloads/index.jsp JRE 6 Update 15: http://java.com/ through the Java Update tool for Microsoft Windows users. JDK 6 Update 15 for Solaris is available in the following patches: * Java SE 6 Update 15 (as delivered in patch 125136-16) * Java SE 6 Update 15 (as delivered in patch 125137-16 (64bit)) * Java SE 6_x86 Update 15 (as delivered in patch 125138-16) * Java SE 6_x86 Update 15 (as delivered in patch 125139-16 (64bit)) JDK and JRE 5.0 Update 20: http://java.sun.com/javase/downloads/index_jdk5.jsp JDK 5.0 Update 20 for Solaris is available in the following patches: * J2SE 5.0 Update 18 (as delivered in patch 118666-21) * J2SE 5.0 Update 18 (as delivered in patch 118667-21 (64bit)) * J2SE 5.0_x86 Update 18 (as delivered in patch 118668-21) * J2SE 5.0_x86 Update 18 (as delivered in patch 118669-21 (64bit)) Java SE for Business releases are available at: http://www.sun.com/software/javaseforbusiness/getit_download.jsp Note: When installing a new version of the product from a source other than a Solaris patch, it is recommended that the old affected versions be removed from your system. To remove old affected versions on the Windows platform, please see: http://www.java.com/en/download/help/5000010800.xml The vendor's advisory is available at: http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1
Step up your Open Source Security Game with WhiteSource here