Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5.5
CVSSv3

CVE-2019-12400

Published: 23/08/2019 Updated: 07/11/2023
CVSS v2 Base Score: 1.9 | Impact Score: 2.9 | Exploitability Score: 3.4
CVSS v3 Base Score: 5.5 | Impact Score: 3.6 | Exploitability Score: 1.8
VMScore: 171
Vector: AV:L/AC:M/Au:N/C:N/I:P/A:N
Subscribe to Apache

Vulnerability Summary

In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x releases prior to 2.1.4.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache santuario xml security for java

redhat jboss enterprise application platform 7.2

oracle weblogic server 12.2.1.4.0

oracle weblogic server 14.1.1.0.0

Vendor Advisories

Debian CVElist Bug Report Logs: libxml-security-java: CVE-2019-12400
Debian Bug report logs - #935548 libxml-security-java: CVE-2019-12400 Package: src:libxml-security-java; Maintainer for src:libxml-security-java is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 23 Aug 2019 20:18:01 UTC Severity ...
Debian CVElist Bug Report Logs: libxml-security-java: CVE-2021-40690
Debian Bug report logs - #994569 libxml-security-java: CVE-2021-40690 Package: src:libxml-security-java; Maintainer for src:libxml-security-java is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 17 Sep 2021 19:54:01 UTC Severity ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.2.7 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 727 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 72Red Hat Product Security has rated this update as having a security impact of Important A ...
Red Hat: Important: Red Hat Single Sign-On 7.3.7 security update
Synopsis Important: Red Hat Single Sign-On 737 security update Type/Severity Security Advisory: Important Topic A security update is now available for Red Hat Single Sign-On 73 from the Customer PortalRed Hat Product Security has rated this update as having a security impact of Important A Common Vulne ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.2.7 on RHEL 8 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 727 on RHEL 8 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 72 for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.2.7 on RHEL 6 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 727 on RHEL 6 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 72 for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.2.7 on RHEL 7 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 727 on RHEL 7 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 72 for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as ...
Red Hat: Important: Red Hat build of Thorntail 2.5.1 security and bug fix update
Synopsis Important: Red Hat build of Thorntail 251 security and bug fix update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat build of ThorntailRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring ...
Red Hat: Important: Red Hat Fuse 7.7.0 release and security update
Synopsis Important: Red Hat Fuse 770 release and security update Type/Severity Security Advisory: Important Topic A minor version update (from 76 to 77) is now available for Red Hat Fuse The purpose of this text-only errata is to inform you about the security issues fixed in this releaseRed Hat Produc ...

Github Repositories

https://github.com/onelogin/java-saml

Java SAML toolkit

SAML Java Toolkit Add SAML support to your Java applications using this library 280 uses xmlsec 223 which fixes CVE-2021-40690 Version >= 250 compatible with java8 / java9 Not compatible with java7 250 sets the 'strict' setting parameter to true 250 uses xmlsec 214 which fixes CVE-2019-12400 Version 200 - 240, compatible with java7 / java8

https://github.com/SAML-Toolkits/java-saml

Java SAML toolkit

SAML Java Toolkit Add SAML support to your Java applications using this library 280 uses xmlsec 223 which fixes CVE-2021-40690 Version >= 250 compatible with java8 / java9 Not compatible with java7 250 sets the 'strict' setting parameter to true 250 uses xmlsec 214 which fixes CVE-2019-12400 Version 200 - 240, compatible with java7 / java8

https://github.com/umeshnagori/java-saml-os

OneLogin's SAML Java Toolkit Add SAML support to your Java applications using this library Forget those complicated libraries and use that open source library provided and supported by OneLogin Inc Version >= 250 compatible with java8 / java9 Not compatible with java7 250 sets the 'strict' setting parameter to true 250 uses xmlsec 214 which f

https://github.com/ik21191/java-saml

clone the project then run : mvn clean package if test cases fails then mvn clean package -Dmaventestskip=true OneLogin's SAML Java Toolkit Add SAML support to your Java applications using this library Forget those complicated libraries and use that open source library provided and supported by OneLogin Inc Version >= 250 compatible with java8 / java9 Not c

https://github.com/VallieRunte/javascript-web

SAML Java Toolkit Add SAML support to your Java applications using this library 280 uses xmlsec 223 which fixes CVE-2021-40690 Version >= 250 compatible with java8 / java9 Not compatible with java7 250 sets the 'strict' setting parameter to true 250 uses xmlsec 214 which fixes CVE-2019-12400 Version 200 - 240, compatible with java7 / java8

References

CWE-20http://santuario.apache.org/secadv.data/CVE-2019-12400.asc?version=1&modificationDate=1566573083000&api=v2https://security.netapp.com/advisory/ntap-20190910-0003/https://access.redhat.com/errata/RHSA-2020:0804https://access.redhat.com/errata/RHSA-2020:0805https://access.redhat.com/errata/RHSA-2020:0811https://access.redhat.com/errata/RHSA-2020:0806https://www.oracle.com/security-alerts/cpuoct2021.htmlhttps://lists.apache.org/thread.html/8e814b925bf580bc527d96ff51e72ffe5bdeaa4b8bf5b89498cab24c%40%3Cdev.santuario.apache.org%3Ehttps://lists.apache.org/thread.html/edaa7edb9c58e5f5bd0c950f2b6232b62b15f5c44ad803e8728308ce%40%3Cdev.santuario.apache.org%3Ehttps://lists.apache.org/thread.html/rcdc0da94fe21b26493eae47ca987a290bdf90c721a7a42491fdd41d4%40%3Ccommits.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/rf82be0a7c98cd3545e20817bb96ed05551ea0020acbaf9a469fef402%40%3Ccommits.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/r107bffb06a5e27457fe9af7dfe3a233d0d36c6c2f5122f117eb7f626%40%3Ccommits.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/rf958cea96236de8829940109ae07e870aa3d59235345421e4924ff03%40%3Ccommits.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3Ehttps://nvd.nist.govhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935548https://github.com/onelogin/java-saml
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
blind SQL injectionfirmwareCVE-2006-4304CVE-2024-32878CVE-2024-31502XSSCVE-2024-3059CVE-2024-33692CVE-2024-3400
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook