Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-14338

Опубликовано: 27 авг. 2020
Источник: redhat
CVSS3: 5.3
EPSS Низкий

Описание

A flaw was found in Wildfly's implementation of Xerces, specifically in the way the XMLSchemaValidator class in the JAXP component of Wildfly enforced the "use-grammar-pool-only" feature. This flaw allows a specially-crafted XML file to manipulate the validation process in certain cases. This issue is the same flaw as CVE-2020-14621, which affected OpenJDK, and uses a similar code. This flaw affects all Xerces JBoss versions before 2.12.0.SP3.

A flaw was found in Wildfly's implementation of Xerces, specifically in the way the XMLSchemaValidator class in the JAXP component of Wildfly enforced the "use-grammar-pool-only" feature. This flaw allows a specially-crafted XML file to manipulate the validation process in certain cases. This issue is the same flaw as CVE-2020-14621, which affected OpenJDK, and uses a similar code.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
A-MQ Clients 2xercesimplNot affected
Red Hat CodeReady Studio 12xercesimplNot affected
Red Hat JBoss A-MQ 6xercesimplOut of support scope
Red Hat JBoss BRMS 6xercesimplOut of support scope
Red Hat JBoss Data Grid 7xercesimplOut of support scope
Red Hat JBoss Data Virtualization 6xercesimplOut of support scope
Red Hat JBoss Enterprise Application Platform 5xercesimplOut of support scope
Red Hat JBoss Enterprise Application Platform 6xercesimplOut of support scope
Red Hat JBoss Enterprise Application Platform Continuous DeliveryxercesimplOut of support scope
Red Hat JBoss Fuse 6xercesimplOut of support scope

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-20
https://bugzilla.redhat.com/show_bug.cgi?id=1860054wildfly: XML validation manipulation due to incomplete application of use-grammar-pool-only in xercesImpl

EPSS

Процентиль: 61%
0.00414
Низкий

5.3 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2020-14338

CVSS3: 5.3
nvd
больше 5 лет назад

A flaw was found in Wildfly's implementation of Xerces, specifically in the way the XMLSchemaValidator class in the JAXP component of Wildfly enforced the "use-grammar-pool-only" feature. This flaw allows a specially-crafted XML file to manipulate the validation process in certain cases. This issue is the same flaw as CVE-2020-14621, which affected OpenJDK, and uses a similar code. This flaw affects all Xerces JBoss versions before 2.12.0.SP3.

debian логотип

CVE-2020-14338

CVSS3: 5.3
debian
больше 5 лет назад

A flaw was found in Wildfly's implementation of Xerces, specifically i ...

github логотип

GHSA-w4jq-qh47-hvjq

CVSS3: 5.3
github
почти 4 года назад

Improper Input Validation in Xerces

fstec логотип

BDU:2020-04150

CVSS3: 5.3
fstec
больше 5 лет назад

Уязвимость класса XMLSchemaValidator компонента JAXP программного средства WildFly (JBoss Application Server), позволяющая нарушителю получить доступ на чтение, изменение, добавление или удаление данных с помощью многочисленных сетевых протоколов

EPSS

Процентиль: 61%
0.00414
Низкий

5.3 Medium

CVSS3