CVE-2022-23437 - Denial of Service (DoS)

Severity: Medium2022-11-07

Security Advisories

Abstract

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

The Oxygen products incorporate Apache Xerces Java (XercesJ) as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen XML Author v24.0 and olderMedium Oxygen XML Author 24.1 build 2022030807
Oxygen XML Developer v24.0 and olderMedium Oxygen XML Developer 24.1 build 2022030807
Oxygen XML Editor v24.0 and olderMedium Oxygen XML Editor 24.1 build 2022030807

Mitigation

None

Detail

CVE-2022-23437

Severity: Medium

CVSS Score: 6.5

The Apache Xerces Java (XercesJ) third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-23437 vulnerability description.

Starting with Oxygen XML Author v24.1 build 2022030807 Apache Xerces Java (XercesJ) library was updated to v2.12.2 which fixes this vulnerability.

Starting with Oxygen XML Developer v24.1 build 2022030807 Apache Xerces Java (XercesJ) library was updated to v2.12.2 which fixes this vulnerability.

Starting with Oxygen XML Editor v24.1 build 2022030807 Apache Xerces Java (XercesJ) library was updated to v2.12.2 which fixes this vulnerability.

List of Security Advisories