CVE-2022-23437 - XML Injection (aka Blind XPath Injection)

Severity

65%

Complexity

27%

Confidentiality

60%

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

CVSS 3.1 Base Score 6.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H).

CVSS 2.0 Base Score 7.1. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C).

Overview

First reported 3 years ago

2022-01-24 15:15:00

Last updated 2 years ago

2022-12-07 01:45:00

Affected Software

Oracle iLearning 6.2

6.2

Oracle Weblogic Server 12.2.1.3.0

12.2.1.3.0

Oracle Weblogic Server 12.2.1.4.0

12.2.1.4.0

Oracle FLEXCUBE Universal Banking 12.4.0

12.4.0

Oracle PeopleSoft Enterprise PeopleTools 8.58

8.58

NetApp Active IQ Unified Manager for Windows

windows

References

N/A

[oss-security] 20220124 CVE-2022-23437: Infinite loop within Apache XercesJ xml parser

N/A

Mailing List, Vendor Advisory

[oss-security] 20220124 CVE-2022-23437: Infinite loop within Apache XercesJ xml parser

Mailing List, Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch, Third Party Advisory

N/A

https://security.netapp.com/advisory/ntap-20221028-0005/

N/A

Patch, Third Party Advisory

https://security.netapp.com/advisory/ntap-20221028-0005/

Third Party Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.