VulnerableCode Package Details - pkg:maven/xerces/xercesImpl@2.12.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-c2s2-wsy6-sufn Aliases: CVE-2022-23437 GHSA-h65f-jvqw-m9fj	XML Injection (aka Blind XPath Injection) There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.	2.12.2 Affected by 0 other vulnerabilities.
VCID-c3c2-b2bc-6bdh Aliases: CVE-2020-14338 GHSA-w4jq-qh47-hvjq	Improper Input Validation A flaw was found in Wildfly's implementation of Xerces, specifically in the way the XMLSchemaValidator class in the JAXP component of Wildfly enforced the "use-grammar-pool-only" feature. This flaw allows a specially-crafted XML file to manipulate the validation process in certain cases. This issue is the same flaw as CVE-2020-14621, which affected OpenJDK, and uses a similar code. This flaw affects all Xerces JBoss versions before 2.12.0.SP3.	2.12.sp3 Affected by 0 other vulnerabilities. 2.12.0.sp3 Affected by 0 other vulnerabilities. 2.12.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-c2s2-wsy6-sufn
Aliases:
CVE-2022-23437
GHSA-h65f-jvqw-m9fj

XML Injection (aka Blind XPath Injection) There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

2.12.2
Affected by 0 other vulnerabilities.

VCID-c3c2-b2bc-6bdh
Aliases:
CVE-2020-14338
GHSA-w4jq-qh47-hvjq

Improper Input Validation A flaw was found in Wildfly's implementation of Xerces, specifically in the way the XMLSchemaValidator class in the JAXP component of Wildfly enforced the "use-grammar-pool-only" feature. This flaw allows a specially-crafted XML file to manipulate the validation process in certain cases. This issue is the same flaw as CVE-2020-14621, which affected OpenJDK, and uses a similar code. This flaw affects all Xerces JBoss versions before 2.12.0.SP3.

2.12.sp3
Affected by 0 other vulnerabilities.

2.12.0.sp3
Affected by 0 other vulnerabilities.

2.12.1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-a6wc-3mp6-63ek	XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.	CVE-2013-4002 GHSA-7j4h-8wpf-rqfh
VCID-nnhm-vcmu-gkd7	Denial of service in Apache Xerces2 Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.	CVE-2012-0881 GHSA-vmqm-g3vh-847m

Vulnerability

Summary

Aliases

VCID-a6wc-3mp6-63ek

XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.

CVE-2013-4002
GHSA-7j4h-8wpf-rqfh

VCID-nnhm-vcmu-gkd7

Denial of service in Apache Xerces2 Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.

CVE-2012-0881
GHSA-vmqm-g3vh-847m

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T21:40:34.582975+00:00	GitLab Importer	Affected by	VCID-c3c2-b2bc-6bdh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/xerces/xercesImpl/CVE-2020-14338.yml	38.4.0
2026-04-16T21:38:06.200063+00:00	GitLab Importer	Affected by	VCID-c2s2-wsy6-sufn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/xerces/xercesImpl/CVE-2022-23437.yml	38.4.0
2026-04-16T21:04:30.835082+00:00	GitLab Importer	Fixing	VCID-nnhm-vcmu-gkd7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/xerces/xercesImpl/CVE-2012-0881.yml	38.4.0
2026-04-16T20:30:44.804656+00:00	GitLab Importer	Fixing	VCID-a6wc-3mp6-63ek	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/xerces/xercesImpl/CVE-2013-4002.yml	38.4.0
2026-04-11T22:55:53.627238+00:00	GitLab Importer	Affected by	VCID-c3c2-b2bc-6bdh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/xerces/xercesImpl/CVE-2020-14338.yml	38.3.0
2026-04-11T22:52:34.047641+00:00	GitLab Importer	Affected by	VCID-c2s2-wsy6-sufn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/xerces/xercesImpl/CVE-2022-23437.yml	38.3.0
2026-04-11T22:15:56.552244+00:00	GitLab Importer	Fixing	VCID-nnhm-vcmu-gkd7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/xerces/xercesImpl/CVE-2012-0881.yml	38.3.0
2026-04-11T21:41:08.993773+00:00	GitLab Importer	Fixing	VCID-a6wc-3mp6-63ek	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/xerces/xercesImpl/CVE-2013-4002.yml	38.3.0
2026-04-02T23:04:56.457684+00:00	GitLab Importer	Affected by	VCID-c3c2-b2bc-6bdh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/xerces/xercesImpl/CVE-2020-14338.yml	38.1.0
2026-04-02T23:01:57.532408+00:00	GitLab Importer	Affected by	VCID-c2s2-wsy6-sufn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/xerces/xercesImpl/CVE-2022-23437.yml	38.1.0
2026-04-02T22:28:08.689103+00:00	GitLab Importer	Fixing	VCID-nnhm-vcmu-gkd7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/xerces/xercesImpl/CVE-2012-0881.yml	38.1.0
2026-04-02T21:55:19.101590+00:00	GitLab Importer	Fixing	VCID-a6wc-3mp6-63ek	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/xerces/xercesImpl/CVE-2013-4002.yml	38.1.0
2026-04-01T17:23:54.590412+00:00	GitLab Importer	Affected by	VCID-c3c2-b2bc-6bdh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/xerces/xercesImpl/CVE-2020-14338.yml	38.0.0
2026-04-01T17:20:48.644971+00:00	GitLab Importer	Affected by	VCID-c2s2-wsy6-sufn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/xerces/xercesImpl/CVE-2022-23437.yml	38.0.0
2026-04-01T16:46:05.161054+00:00	GitLab Importer	Fixing	VCID-nnhm-vcmu-gkd7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/xerces/xercesImpl/CVE-2012-0881.yml	38.0.0
2026-04-01T16:00:48.489237+00:00	GHSA Importer	Fixing	VCID-a6wc-3mp6-63ek	https://github.com/advisories/GHSA-7j4h-8wpf-rqfh	38.0.0
2026-04-01T15:58:15.151537+00:00	GHSA Importer	Fixing	VCID-nnhm-vcmu-gkd7	https://github.com/advisories/GHSA-vmqm-g3vh-847m	38.0.0
2026-04-01T13:10:57.274932+00:00	GithubOSV Importer	Fixing	VCID-a6wc-3mp6-63ek	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7j4h-8wpf-rqfh/GHSA-7j4h-8wpf-rqfh.json	38.0.0
2026-04-01T13:00:28.718457+00:00	GithubOSV Importer	Fixing	VCID-nnhm-vcmu-gkd7	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-vmqm-g3vh-847m/GHSA-vmqm-g3vh-847m.json	38.0.0
2026-04-01T12:46:49.614060+00:00	GitLab Importer	Fixing	VCID-a6wc-3mp6-63ek	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/xerces/xercesImpl/CVE-2013-4002.yml	38.0.0