// For flags

CVE-2022-23437

Infinite loop within Apache XercesJ xml parser

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

Se presenta una vulnerabilidad en el analizador XML de Apache Xerces Java (XercesJ) cuando maneja cargas útiles de documentos XML especialmente diseñados. Esto causa que el analizador XML de XercesJ espere en un bucle infinito, lo que a veces puede consumir recursos del sistema durante un tiempo prolongado. Esta vulnerabilidad está presente en XercesJ versión 2.12.1, y en versiones anteriores

A flaw was found in the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This issue causes the XercesJ XML parser to wait in an infinite loop, which may consume system resources for a prolonged duration, leading to a denial of service condition.

*Credits: This issue was discovered by Sergey Temnikov and Ziyi Luo, from Amazon Corretto/JDK Team
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
None
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-01-19 CVE Reserved
  • 2022-01-24 CVE Published
  • 2024-08-03 CVE Updated
  • 2024-10-09 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
Xerces-j
Search vendor "Apache" for product "Xerces-j"
<= 2.12.1
Search vendor "Apache" for product "Xerces-j" and version " <= 2.12.1"
-
Affected
Oracle
Search vendor "Oracle"
Agile Engineering Data Management
Search vendor "Oracle" for product "Agile Engineering Data Management"
6.2.1.0
Search vendor "Oracle" for product "Agile Engineering Data Management" and version "6.2.1.0"
-
Affected
Oracle
Search vendor "Oracle"
Agile Plm
Search vendor "Oracle" for product "Agile Plm"
9.3.6
Search vendor "Oracle" for product "Agile Plm" and version "9.3.6"
-
Affected
Oracle
Search vendor "Oracle"
Banking Deposits And Lines Of Credit Servicing
Search vendor "Oracle" for product "Banking Deposits And Lines Of Credit Servicing"
2.7
Search vendor "Oracle" for product "Banking Deposits And Lines Of Credit Servicing" and version "2.7"
-
Affected
Oracle
Search vendor "Oracle"
Banking Party Management
Search vendor "Oracle" for product "Banking Party Management"
2.7.0
Search vendor "Oracle" for product "Banking Party Management" and version "2.7.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Asap
Search vendor "Oracle" for product "Communications Asap"
7.3
Search vendor "Oracle" for product "Communications Asap" and version "7.3"
-
Affected
Oracle
Search vendor "Oracle"
Communications Element Manager
Search vendor "Oracle" for product "Communications Element Manager"
< 9.0
Search vendor "Oracle" for product "Communications Element Manager" and version " < 9.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Session Report Manager
Search vendor "Oracle" for product "Communications Session Report Manager"
< 9.0
Search vendor "Oracle" for product "Communications Session Report Manager" and version " < 9.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Session Route Manager
Search vendor "Oracle" for product "Communications Session Route Manager"
< 9.0
Search vendor "Oracle" for product "Communications Session Route Manager" and version " < 9.0"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Analytical Applications Infrastructure
Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"
>= 8.0.6.0.0 <= 8.0.9.0
Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version " >= 8.0.6.0.0 <= 8.0.9.0"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Analytical Applications Infrastructure
Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"
>= 8.1.0.0 < 8.1.2.0
Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version " >= 8.1.0.0 < 8.1.2.0"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Behavior Detection Platform
Search vendor "Oracle" for product "Financial Services Behavior Detection Platform"
>= 8.0.6.0.0 <= 8.0.8.0
Search vendor "Oracle" for product "Financial Services Behavior Detection Platform" and version " >= 8.0.6.0.0 <= 8.0.8.0"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Behavior Detection Platform
Search vendor "Oracle" for product "Financial Services Behavior Detection Platform"
8.1.1.0
Search vendor "Oracle" for product "Financial Services Behavior Detection Platform" and version "8.1.1.0"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Behavior Detection Platform
Search vendor "Oracle" for product "Financial Services Behavior Detection Platform"
8.1.1.1
Search vendor "Oracle" for product "Financial Services Behavior Detection Platform" and version "8.1.1.1"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Behavior Detection Platform
Search vendor "Oracle" for product "Financial Services Behavior Detection Platform"
8.1.2.0
Search vendor "Oracle" for product "Financial Services Behavior Detection Platform" and version "8.1.2.0"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Crime And Compliance Management Studio
Search vendor "Oracle" for product "Financial Services Crime And Compliance Management Studio"
8.0.8.2.0
Search vendor "Oracle" for product "Financial Services Crime And Compliance Management Studio" and version "8.0.8.2.0"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Crime And Compliance Management Studio
Search vendor "Oracle" for product "Financial Services Crime And Compliance Management Studio"
8.0.8.3.0
Search vendor "Oracle" for product "Financial Services Crime And Compliance Management Studio" and version "8.0.8.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Enterprise Case Management
Search vendor "Oracle" for product "Financial Services Enterprise Case Management"
8.0.7.1
Search vendor "Oracle" for product "Financial Services Enterprise Case Management" and version "8.0.7.1"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Enterprise Case Management
Search vendor "Oracle" for product "Financial Services Enterprise Case Management"
8.0.7.2.0
Search vendor "Oracle" for product "Financial Services Enterprise Case Management" and version "8.0.7.2.0"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Enterprise Case Management
Search vendor "Oracle" for product "Financial Services Enterprise Case Management"
8.0.8.0
Search vendor "Oracle" for product "Financial Services Enterprise Case Management" and version "8.0.8.0"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Enterprise Case Management
Search vendor "Oracle" for product "Financial Services Enterprise Case Management"
8.0.8.1
Search vendor "Oracle" for product "Financial Services Enterprise Case Management" and version "8.0.8.1"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Enterprise Case Management
Search vendor "Oracle" for product "Financial Services Enterprise Case Management"
8.1.1.0
Search vendor "Oracle" for product "Financial Services Enterprise Case Management" and version "8.1.1.0"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Enterprise Case Management
Search vendor "Oracle" for product "Financial Services Enterprise Case Management"
8.1.1.1
Search vendor "Oracle" for product "Financial Services Enterprise Case Management" and version "8.1.1.1"
-
Affected
Oracle
Search vendor "Oracle"
Flexcube Universal Banking
Search vendor "Oracle" for product "Flexcube Universal Banking"
12.4.0
Search vendor "Oracle" for product "Flexcube Universal Banking" and version "12.4.0"
-
Affected
Oracle
Search vendor "Oracle"
Global Lifecycle Management Nextgen Oui Framework
Search vendor "Oracle" for product "Global Lifecycle Management Nextgen Oui Framework"
< 13.9.4.2.2
Search vendor "Oracle" for product "Global Lifecycle Management Nextgen Oui Framework" and version " < 13.9.4.2.2"
-
Affected
Oracle
Search vendor "Oracle"
Global Lifecycle Management Nextgen Oui Framework
Search vendor "Oracle" for product "Global Lifecycle Management Nextgen Oui Framework"
13.9.4.2.2
Search vendor "Oracle" for product "Global Lifecycle Management Nextgen Oui Framework" and version "13.9.4.2.2"
-
Affected
Oracle
Search vendor "Oracle"
Global Lifecycle Management Opatch
Search vendor "Oracle" for product "Global Lifecycle Management Opatch"
< 12.2.0.1.30
Search vendor "Oracle" for product "Global Lifecycle Management Opatch" and version " < 12.2.0.1.30"
-
Affected
Oracle
Search vendor "Oracle"
Health Sciences Information Manager
Search vendor "Oracle" for product "Health Sciences Information Manager"
>= 3.0.1 <= 3.0.5
Search vendor "Oracle" for product "Health Sciences Information Manager" and version " >= 3.0.1 <= 3.0.5"
-
Affected
Oracle
Search vendor "Oracle"
Health Sciences Information Manager
Search vendor "Oracle" for product "Health Sciences Information Manager"
3.0.0.1
Search vendor "Oracle" for product "Health Sciences Information Manager" and version "3.0.0.1"
-
Affected
Oracle
Search vendor "Oracle"
Ilearning
Search vendor "Oracle" for product "Ilearning"
6.2
Search vendor "Oracle" for product "Ilearning" and version "6.2"
-
Affected
Oracle
Search vendor "Oracle"
Ilearning
Search vendor "Oracle" for product "Ilearning"
6.3
Search vendor "Oracle" for product "Ilearning" and version "6.3"
-
Affected
Oracle
Search vendor "Oracle"
Peoplesoft Enterprise Peopletools
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"
8.58
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.58"
-
Affected
Oracle
Search vendor "Oracle"
Peoplesoft Enterprise Peopletools
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"
8.59
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.59"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Gateway
Search vendor "Oracle" for product "Primavera Gateway"
>= 17.7 <= 17.12.11
Search vendor "Oracle" for product "Primavera Gateway" and version " >= 17.7 <= 17.12.11"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Gateway
Search vendor "Oracle" for product "Primavera Gateway"
>= 18.8.0 <= 18.8.14
Search vendor "Oracle" for product "Primavera Gateway" and version " >= 18.8.0 <= 18.8.14"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Gateway
Search vendor "Oracle" for product "Primavera Gateway"
>= 19.12.0 <= 19.12.13
Search vendor "Oracle" for product "Primavera Gateway" and version " >= 19.12.0 <= 19.12.13"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Gateway
Search vendor "Oracle" for product "Primavera Gateway"
>= 20.12.0 <= 20.12.8
Search vendor "Oracle" for product "Primavera Gateway" and version " >= 20.12.0 <= 20.12.8"
-
Affected
Oracle
Search vendor "Oracle"
Product Lifecycle Analytics
Search vendor "Oracle" for product "Product Lifecycle Analytics"
3.6.1
Search vendor "Oracle" for product "Product Lifecycle Analytics" and version "3.6.1"
-
Affected
Oracle
Search vendor "Oracle"
Retail Bulk Data Integration
Search vendor "Oracle" for product "Retail Bulk Data Integration"
16.0.3.0
Search vendor "Oracle" for product "Retail Bulk Data Integration" and version "16.0.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Retail Extract Transform And Load
Search vendor "Oracle" for product "Retail Extract Transform And Load"
13.2.8
Search vendor "Oracle" for product "Retail Extract Transform And Load" and version "13.2.8"
-
Affected
Oracle
Search vendor "Oracle"
Retail Financial Integration
Search vendor "Oracle" for product "Retail Financial Integration"
14.1.3.2
Search vendor "Oracle" for product "Retail Financial Integration" and version "14.1.3.2"
-
Affected
Oracle
Search vendor "Oracle"
Retail Financial Integration
Search vendor "Oracle" for product "Retail Financial Integration"
15.0.3.1
Search vendor "Oracle" for product "Retail Financial Integration" and version "15.0.3.1"
-
Affected
Oracle
Search vendor "Oracle"
Retail Financial Integration
Search vendor "Oracle" for product "Retail Financial Integration"
16.0.3
Search vendor "Oracle" for product "Retail Financial Integration" and version "16.0.3"
-
Affected
Oracle
Search vendor "Oracle"
Retail Financial Integration
Search vendor "Oracle" for product "Retail Financial Integration"
19.0.1
Search vendor "Oracle" for product "Retail Financial Integration" and version "19.0.1"
-
Affected
Oracle
Search vendor "Oracle"
Retail Integration Bus
Search vendor "Oracle" for product "Retail Integration Bus"
14.1.3.2
Search vendor "Oracle" for product "Retail Integration Bus" and version "14.1.3.2"
-
Affected
Oracle
Search vendor "Oracle"
Retail Integration Bus
Search vendor "Oracle" for product "Retail Integration Bus"
15.0.3.1
Search vendor "Oracle" for product "Retail Integration Bus" and version "15.0.3.1"
-
Affected
Oracle
Search vendor "Oracle"
Retail Integration Bus
Search vendor "Oracle" for product "Retail Integration Bus"
16.0.3
Search vendor "Oracle" for product "Retail Integration Bus" and version "16.0.3"
-
Affected
Oracle
Search vendor "Oracle"
Retail Integration Bus
Search vendor "Oracle" for product "Retail Integration Bus"
19.0.1
Search vendor "Oracle" for product "Retail Integration Bus" and version "19.0.1"
-
Affected
Oracle
Search vendor "Oracle"
Retail Merchandising System
Search vendor "Oracle" for product "Retail Merchandising System"
16.0.3
Search vendor "Oracle" for product "Retail Merchandising System" and version "16.0.3"
-
Affected
Oracle
Search vendor "Oracle"
Retail Merchandising System
Search vendor "Oracle" for product "Retail Merchandising System"
19.0.1
Search vendor "Oracle" for product "Retail Merchandising System" and version "19.0.1"
-
Affected
Oracle
Search vendor "Oracle"
Retail Service Backbone
Search vendor "Oracle" for product "Retail Service Backbone"
14.1.3.2
Search vendor "Oracle" for product "Retail Service Backbone" and version "14.1.3.2"
-
Affected
Oracle
Search vendor "Oracle"
Retail Service Backbone
Search vendor "Oracle" for product "Retail Service Backbone"
15.0.3.1
Search vendor "Oracle" for product "Retail Service Backbone" and version "15.0.3.1"
-
Affected
Oracle
Search vendor "Oracle"
Retail Service Backbone
Search vendor "Oracle" for product "Retail Service Backbone"
16.0.3
Search vendor "Oracle" for product "Retail Service Backbone" and version "16.0.3"
-
Affected
Oracle
Search vendor "Oracle"
Retail Service Backbone
Search vendor "Oracle" for product "Retail Service Backbone"
19.0.1
Search vendor "Oracle" for product "Retail Service Backbone" and version "19.0.1"
-
Affected
Oracle
Search vendor "Oracle"
Weblogic Server
Search vendor "Oracle" for product "Weblogic Server"
12.2.1.3.0
Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Weblogic Server
Search vendor "Oracle" for product "Weblogic Server"
12.2.1.4.0
Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.4.0"
-
Affected
Oracle
Search vendor "Oracle"
Weblogic Server
Search vendor "Oracle" for product "Weblogic Server"
14.1.1.0.0
Search vendor "Oracle" for product "Weblogic Server" and version "14.1.1.0.0"
-
Affected
Netapp
Search vendor "Netapp"
Active Iq Unified Manager
Search vendor "Netapp" for product "Active Iq Unified Manager"
-windows
Affected