// For flags

CVE-2009-2625

JDK: XML parsing Denial-Of-Service (6845701)

Severity Score

5.0
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.

Apache Xerces2 Java, tal como se utiliza en Sun Java Runtime Environment (JRE) en JDK y JRE v6 anterior a la actualización 15 y el JDK y JRE v5.0 antes de la actualización 20, y en otros productos, permite a atacantes remotos provocar una denegación de servicio (bucle infinito y la cuelgue de aplicación) a través de una entrada XML malformada, como lo demuestra Codenomicon XML fuzzing framework.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2009-07-28 CVE Reserved
  • 2009-08-06 CVE Published
  • 2024-07-13 EPSS Updated
  • 2024-08-07 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
CAPEC
References (61)
URL Tag Source
http://secunia.com/advisories/36162 Third Party Advisory
http://secunia.com/advisories/36176 Third Party Advisory
http://secunia.com/advisories/36180 Third Party Advisory
http://secunia.com/advisories/36199 Third Party Advisory
http://secunia.com/advisories/37300 Third Party Advisory
http://secunia.com/advisories/37460 Third Party Advisory
http://secunia.com/advisories/37671 Third Party Advisory
http://secunia.com/advisories/37754 Third Party Advisory
http://secunia.com/advisories/38231 Third Party Advisory
http://secunia.com/advisories/38342 Third Party Advisory
http://secunia.com/advisories/43300 Third Party Advisory
http://secunia.com/advisories/50549 Third Party Advisory
http://www.cert.fi/en/reports/2009/vulnerability2009085.html Third Party Advisory
http://www.codenomicon.com/labs/xml Third Party Advisory
http://www.networkworld.com/columnists/2009/080509-xml-flaw.html Third Party Advisory
http://www.openwall.com/lists/oss-security/2009/09/06/1 Mailing List
http://www.openwall.com/lists/oss-security/2009/10/23/6 Mailing List
http://www.openwall.com/lists/oss-security/2009/10/26/3 Mailing List
http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html Broken Link
http://www.securityfocus.com/archive/1/507985/100/0/threaded Mailing List
http://www.securityfocus.com/bid/35958 Third Party Advisory
http://www.securitytracker.com/id?1022680 Third Party Advisory
http://www.us-cert.gov/cas/techalerts/TA09-294A.html Third Party Advisory
http://www.us-cert.gov/cas/techalerts/TA10-012A.html Third Party Advisory
http://www.vmware.com/security/advisories/VMSA-2009-0016.html Third Party Advisory
https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E Mailing List
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8520 Signature
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9356 Signature
URL Date SRC
URL Date SRC
http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html 2023-11-07
http://marc.info/?l=bugtraq&m=125787273209737&w=2 2023-11-07
http://rhn.redhat.com/errata/RHSA-2012-1232.html 2023-11-07
http://rhn.redhat.com/errata/RHSA-2012-1537.html 2023-11-07
http://slackware.com/security/viewer.php?l=slackware-security&y=2011&m=slackware-security.486026 2023-11-07
http://sunsolve.sun.com/search/document.do?assetkey=1-66-272209-1 2023-11-07
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021506.1-1 2023-11-07
http://www.debian.org/security/2010/dsa-1984 2023-11-07
http://www.mandriva.com/security/advisories?name=MDVSA-2009:209 2023-11-07
http://www.mandriva.com/security/advisories?name=MDVSA-2011:108 2023-11-07
http://www.redhat.com/support/errata/RHSA-2009-1615.html 2023-11-07
http://www.redhat.com/support/errata/RHSA-2011-0858.html 2023-11-07
http://www.ubuntu.com/usn/USN-890-1 2023-11-07
https://bugzilla.redhat.com/show_bug.cgi?id=512921 2013-04-22
https://rhn.redhat.com/errata/RHSA-2009-1199.html 2023-11-07
https://rhn.redhat.com/errata/RHSA-2009-1200.html 2023-11-07
https://rhn.redhat.com/errata/RHSA-2009-1201.html 2023-11-07
https://rhn.redhat.com/errata/RHSA-2009-1636.html 2023-11-07
https://rhn.redhat.com/errata/RHSA-2009-1637.html 2023-11-07
https://rhn.redhat.com/errata/RHSA-2009-1649.html 2023-11-07
https://rhn.redhat.com/errata/RHSA-2009-1650.html 2023-11-07
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html 2023-11-07
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html 2023-11-07
https://access.redhat.com/security/cve/CVE-2009-2625 2013-04-22
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.5.0
Search vendor "Oracle" for product "Jdk" and version "1.5.0"
-
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.5.0
Search vendor "Oracle" for product "Jdk" and version "1.5.0"
update1
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.5.0
Search vendor "Oracle" for product "Jdk" and version "1.5.0"
update10
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.5.0
Search vendor "Oracle" for product "Jdk" and version "1.5.0"
update11
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.5.0
Search vendor "Oracle" for product "Jdk" and version "1.5.0"
update12
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.5.0
Search vendor "Oracle" for product "Jdk" and version "1.5.0"
update13
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.5.0
Search vendor "Oracle" for product "Jdk" and version "1.5.0"
update14
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.5.0
Search vendor "Oracle" for product "Jdk" and version "1.5.0"
update15
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.5.0
Search vendor "Oracle" for product "Jdk" and version "1.5.0"
update16
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.5.0
Search vendor "Oracle" for product "Jdk" and version "1.5.0"
update17
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.5.0
Search vendor "Oracle" for product "Jdk" and version "1.5.0"
update18
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.5.0
Search vendor "Oracle" for product "Jdk" and version "1.5.0"
update19
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.5.0
Search vendor "Oracle" for product "Jdk" and version "1.5.0"
update2
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.5.0
Search vendor "Oracle" for product "Jdk" and version "1.5.0"
update3
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.5.0
Search vendor "Oracle" for product "Jdk" and version "1.5.0"
update4
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.5.0
Search vendor "Oracle" for product "Jdk" and version "1.5.0"
update5
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.5.0
Search vendor "Oracle" for product "Jdk" and version "1.5.0"
update6
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.5.0
Search vendor "Oracle" for product "Jdk" and version "1.5.0"
update7
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.5.0
Search vendor "Oracle" for product "Jdk" and version "1.5.0"
update8
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.5.0
Search vendor "Oracle" for product "Jdk" and version "1.5.0"
update9
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.6.0
Search vendor "Oracle" for product "Jdk" and version "1.6.0"
-
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.6.0
Search vendor "Oracle" for product "Jdk" and version "1.6.0"
update1
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.6.0
Search vendor "Oracle" for product "Jdk" and version "1.6.0"
update10
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.6.0
Search vendor "Oracle" for product "Jdk" and version "1.6.0"
update11
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.6.0
Search vendor "Oracle" for product "Jdk" and version "1.6.0"
update12
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.6.0
Search vendor "Oracle" for product "Jdk" and version "1.6.0"
update13
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.6.0
Search vendor "Oracle" for product "Jdk" and version "1.6.0"
update14
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.6.0
Search vendor "Oracle" for product "Jdk" and version "1.6.0"
update2
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.6.0
Search vendor "Oracle" for product "Jdk" and version "1.6.0"
update3
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.6.0
Search vendor "Oracle" for product "Jdk" and version "1.6.0"
update4
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.6.0
Search vendor "Oracle" for product "Jdk" and version "1.6.0"
update5
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.6.0
Search vendor "Oracle" for product "Jdk" and version "1.6.0"
update6
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.6.0
Search vendor "Oracle" for product "Jdk" and version "1.6.0"
update7
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
10
Search vendor "Fedoraproject" for product "Fedora" and version "10"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
11
Search vendor "Fedoraproject" for product "Fedora" and version "11"
-
Affected
Opensuse
Search vendor "Opensuse"
Opensuse
Search vendor "Opensuse" for product "Opensuse"
11.0
Search vendor "Opensuse" for product "Opensuse" and version "11.0"
-
Affected
Opensuse
Search vendor "Opensuse"
Opensuse
Search vendor "Opensuse" for product "Opensuse"
11.1
Search vendor "Opensuse" for product "Opensuse" and version "11.1"
-
Affected
Opensuse
Search vendor "Opensuse"
Opensuse
Search vendor "Opensuse" for product "Opensuse"
11.2
Search vendor "Opensuse" for product "Opensuse" and version "11.2"
-
Affected
Suse
Search vendor "Suse"
Linux Enterprise Server
Search vendor "Suse" for product "Linux Enterprise Server"
9
Search vendor "Suse" for product "Linux Enterprise Server" and version "9"
-
Affected
Suse
Search vendor "Suse"
Linux Enterprise Server
Search vendor "Suse" for product "Linux Enterprise Server"
10
Search vendor "Suse" for product "Linux Enterprise Server" and version "10"
sp2
Affected
Suse
Search vendor "Suse"
Linux Enterprise Server
Search vendor "Suse" for product "Linux Enterprise Server"
10
Search vendor "Suse" for product "Linux Enterprise Server" and version "10"
sp3
Affected
Suse
Search vendor "Suse"
Linux Enterprise Server
Search vendor "Suse" for product "Linux Enterprise Server"
11
Search vendor "Suse" for product "Linux Enterprise Server" and version "11"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
4.0
Search vendor "Debian" for product "Debian Linux" and version "4.0"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
5.0
Search vendor "Debian" for product "Debian Linux" and version "5.0"
-
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
6.06
Search vendor "Canonical" for product "Ubuntu Linux" and version "6.06"
-
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
8.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "8.04"
-
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
8.10
Search vendor "Canonical" for product "Ubuntu Linux" and version "8.10"
-
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
9.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "9.04"
-
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
9.10
Search vendor "Canonical" for product "Ubuntu Linux" and version "9.10"
-
Affected
Oracle
Search vendor "Oracle"
Primavera P6 Enterprise Project Portfolio Management
Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"
6.1
Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version "6.1"
-
Affected
Oracle
Search vendor "Oracle"
Primavera P6 Enterprise Project Portfolio Management
Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"
6.2.1
Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version "6.2.1"
-
Affected
Oracle
Search vendor "Oracle"
Primavera P6 Enterprise Project Portfolio Management
Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"
7.0
Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version "7.0"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Web Services
Search vendor "Oracle" for product "Primavera Web Services"
6.2.1
Search vendor "Oracle" for product "Primavera Web Services" and version "6.2.1"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Web Services
Search vendor "Oracle" for product "Primavera Web Services"
7.0
Search vendor "Oracle" for product "Primavera Web Services" and version "7.0"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Web Services
Search vendor "Oracle" for product "Primavera Web Services"
7.0
Search vendor "Oracle" for product "Primavera Web Services" and version "7.0"
sp1
Affected
Apache
Search vendor "Apache"
Xerces2 Java
Search vendor "Apache" for product "Xerces2 Java"
2.9.1
Search vendor "Apache" for product "Xerces2 Java" and version "2.9.1"
-
Affected