CVE-2009-2625

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 06-08-2009 05:30

Last modified: - 13-05-2022 04:44

Total changes: - 3

Description

XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.

Common Vulnerability Scoring System (CVSS)

AV:N/AC:L/Au:N/C:N/I:N/A:P

Low

Attack complexity

Network

Attack vector

Low

Availability

None

Confidentiality

None

Integrity

Privileges required

Scope

User interaction

5.0

Base score

10.0

2.9

Exploitability score

Impact score

Verification logic

vendor=oracle AND product=jdk AND version=1.5.0 AND update=update11

vendor=oracle AND product=jdk AND version=1.5.0 AND update=update1

vendor=oracle AND product=jdk AND version=1.5.0 AND update=update2

vendor=oracle AND product=jdk AND version=1.5.0 AND update=update3

vendor=oracle AND product=jdk AND version=1.5.0 AND update=update5

vendor=oracle AND product=jdk AND version=1.5.0 AND update=update6

vendor=oracle AND product=jdk AND version=1.5.0 AND update=update7

vendor=oracle AND product=jdk AND version=1.5.0 AND update=update8

vendor=oracle AND product=jdk AND version=1.5.0 AND update=update9

vendor=oracle AND product=jdk AND version=1.5.0 AND update=update10

vendor=oracle AND product=jdk AND version=1.5.0 AND update=-

vendor=oracle AND product=jdk AND version=1.5.0 AND update=update12

vendor=oracle AND product=jdk AND version=1.5.0 AND update=update13

vendor=oracle AND product=jdk AND version=1.5.0 AND update=update14

vendor=oracle AND product=jdk AND version=1.5.0 AND update=update15

vendor=oracle AND product=jdk AND version=1.5.0 AND update=update16

vendor=oracle AND product=jdk AND version=1.5.0 AND update=update17

vendor=oracle AND product=jdk AND version=1.5.0 AND update=update18

vendor=oracle AND product=jdk AND version=1.5.0 AND update=update19

vendor=oracle AND product=jdk AND version=1.5.0 AND update=update4

vendor=oracle AND product=jdk AND version=1.6.0 AND update=-

vendor=oracle AND product=jdk AND version=1.6.0 AND update=update1

vendor=oracle AND product=jdk AND version=1.6.0 AND update=update2

vendor=oracle AND product=jdk AND version=1.6.0 AND update=update3

vendor=oracle AND product=jdk AND version=1.6.0 AND update=update4

vendor=oracle AND product=jdk AND version=1.6.0 AND update=update10

vendor=oracle AND product=jdk AND version=1.6.0 AND update=update11

vendor=oracle AND product=jdk AND version=1.6.0 AND update=update12

vendor=oracle AND product=jdk AND version=1.6.0 AND update=update13

vendor=oracle AND product=jdk AND version=1.6.0 AND update=update14

vendor=oracle AND product=jdk AND version=1.6.0 AND update=update5

vendor=oracle AND product=jdk AND version=1.6.0 AND update=update6

vendor=oracle AND product=jdk AND version=1.6.0 AND update=update7

vendor=fedoraproject AND product=fedora AND version=11

vendor=fedoraproject AND product=fedora AND version=10

vendor=opensuse AND product=opensuse AND version=11.1

vendor=suse AND product=linux_enterprise_server AND version=9

vendor=opensuse AND product=opensuse AND version=11.0

vendor=opensuse AND product=opensuse AND version=11.2

vendor=suse AND product=linux_enterprise_server AND version=10 AND update=sp2

vendor=suse AND product=linux_enterprise_server AND version=11 AND update=-

vendor=suse AND product=linux_enterprise_server AND version=10 AND update=sp3 AND software_edition=-

vendor=Debian AND product=debian_linux AND version=5.0

vendor=Debian AND product=debian_linux AND version=4.0

vendor=canonical AND product=ubuntu_linux AND version=9.04

vendor=canonical AND product=ubuntu_linux AND version=8.10

vendor=canonical AND product=ubuntu_linux AND version=9.10

vendor=canonical AND product=ubuntu_linux AND version=8.04 AND software_edition=-

vendor=canonical AND product=ubuntu_linux AND version=6.06

vendor=oracle AND product=primavera_web_services AND version=7.0 AND update=-

vendor=oracle AND product=primavera_web_services AND version=7.0 AND update=sp1

vendor=oracle AND product=primavera_web_services AND version=6.2.1

vendor=oracle AND product=primavera_p6_enterprise_project_portfolio_management AND version=6.2.1

vendor=oracle AND product=primavera_p6_enterprise_project_portfolio_management AND version=7.0

vendor=oracle AND product=primavera_p6_enterprise_project_portfolio_management AND version=6.1

vendor=apache AND product=xerces2_java AND version=2.9.1

Reference

http://www.networkworld.com/columnists/2009/080509-xml-flaw.html
263489-Broken Link, Patch, Vendor Advisory
http://www.codenomicon.com/labs/xml/
http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1
http://www.cert.fi/en/reports/2009/vulnerability2009085.html
RHSA-2009:1200-Broken Link
RHSA-2009:1201-Broken Link
1022680-Third Party Advisory, VDB Entry
36176-Third Party Advisory
FEDORA-2009-8337-Mailing List, Third Party Advisory
36180-Third Party Advisory
36162-Third Party Advisory
RHSA-2009:1199-Broken Link
FEDORA-2009-8329-Mailing List, Third Party Advisory
36199-Third Party Advisory
35958-Third Party Advisory, VDB Entry
MDVSA-2009:209-Third Party Advisory
APPLE-SA-2009-09-03-1-Mailing List, Third Party Advisory
ADV-2009-2543-Permissions Required
TA09-294A-Third Party Advisory, US Government Resource
SUSE-SR:2009:016-Third Party Advisory
[oss-security] 20090906 Re: Re: expat bug 1990430-Mailing List, Third Party Advisory
[oss-security] 20091022 Re: Regarding expat bug 1990430-Mailing List, Patch, Third Party Advisory
[oss-security] 20091023 Re: CVE Request -- expat [was: Re: Regarding expat bug 1990430]-Mailing List, Third Party Advisory
http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=572055&r2=787352&pathrev=787353&diff_format=h
[oss-security] 20091026 Re: CVE Request -- expat [was: Re: Regarding expat bug 1990430]-Mailing List, Third Party Advisory
SUSE-SA:2009:053-Third Party Advisory
37300-Third Party Advisory
HPSBUX02476-Mailing List, Third Party Advisory
272209-Broken Link
37671-Third Party Advisory
37754-Third Party Advisory
ADV-2009-3316-Permissions Required
RHSA-2009:1650-Broken Link
RHSA-2009:1615-Third Party Advisory
RHSA-2009:1636-Broken Link
http://www.vmware.com/security/advisories/VMSA-2009-0016.html
RHSA-2009:1637-Broken Link
37460-Third Party Advisory
SUSE-SR:2009:017-Third Party Advisory
RHSA-2009:1649-Broken Link
https://bugzilla.redhat.com/show_bug.cgi?id=512921
TA10-012A-Third Party Advisory, US Government Resource
DSA-1984-Third Party Advisory
38342-Third Party Advisory
38231-Third Party Advisory
USN-890-1-Third Party Advisory
1021506-Broken Link
SUSE-SR:2010:013-Third Party Advisory
43300-Third Party Advisory
ADV-2011-0359-Permissions Required
SSA:2011-041-02-Third Party Advisory
MDVSA-2011:108-Third Party Advisory
RHSA-2011:0858-Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html
http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html
50549-Third Party Advisory
RHSA-2012:1232-Broken Link
RHSA-2012:1537-Broken Link
oval:org.mitre.oval:def:9356-Third Party Advisory
oval:org.mitre.oval:def:8520-Third Party Advisory
20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components-Third Party Advisory, VDB Entry
[lucene-solr-user] 20200320 CVEs (vulnerabilities) that apply to Solr 8.4.1-Mailing List, Vendor Advisory

Keywords

CVE-2009-2625

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2009-2625

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures