-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


CVE-2019-12400: Apache Santuario potentially loads XML parsing code from an untrusted source

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects the following releases of Apache Santuario XML
Security for Java:

 - All 2.0.x releases from 2.0.3.
 - All 2.1.x releases before 2.1.4. The issue is fixed in 2.1.4.
 - 2.0.2 and earlier releases are not affected.

Description:

In version 2.0.3 of Apache Santuario XML Security for Java, a caching mechanism
was introduced to speed up creating new XML documents using a static pool of
DocumentBuilders. 

However, if some untrusted code can register a malicious implementation with
the thread context class loader first, then this implementation might be 
cached and re-used by Apache Santuario - XML Security for Java, leading to 
potential security flaws when validating signed documents, etc.

Mitigation:

Users of Apache Santuario XML Security for Java after 2.0.2 should update to
the 2.1.4 release.

Credit:

This issue was discovered by Sean Mullan.

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE20Xs0ZuXUU9ycQWuZ7+AsQrVOYMFAl1gAW4ACgkQZ7+AsQrV
OYMHGAf9El7pyLsP5hKiBULbpFJFz5rDHLITFDYENatTygP3LF0D9FosV8cwikP3
7vABSDXlmn0QDKbDAK7V1eXZqsma87zMn5QJz7XemOJRifxkbz8ElIUt4Wwqih/N
gfRkcKgPdW8Og8uTbPGoMVqMFAsmHMFTSiunVMFPWucKwwuYqEEseBZ7cSx+1fS9
64/okWqX4wTsXDePExl+L6+91LgWEgmHmXpfWx5Q3jeTVXDmDeZVoVLwRFMz5zY5
tiGkKNcKD6Ze/hadNVsuAuFsCELsINQ1BSGUnS3HEptRm/tVpdyGzCx+9J/O8vur
zYCfWOwLDuvOXuCMvFgIoWxZ1Dm4LQ==
=/WcU
-----END PGP SIGNATURE-----