VDB

DEBIAN-CVE-2019-12400

DEBIAN-CVE-2019-12400 PUBLISHED CVSS 5.5 MEDIUM

In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x releases before 2.1.4.

Risk Scores

CVSS 3.1
5.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Affected Products

VendorProductVersions
Debian:12libxml-security-java0, 0, 0
Debian:11libxml-security-java2.1.7-3, 0, 2.0.10-2
Debian:13libxml-security-java0, 0, 0
Debian:14libxml-security-java0, 0, 0

Timeline

  • Aug 23, 2019 CVE Published
  • Apr 28, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›