VulnerableCode Package Details - pkg:maven/xerces/xercesImpl@2.3.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-1jx9-4esp-3ufk Aliases: CVE-2013-4002 GHSA-7j4h-8wpf-rqfh		2.12.0 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-96gv-ug8n-juhb Aliases: CVE-2022-23437 GHSA-h65f-jvqw-m9fj GHSA-xxx9-3xcr-gjj3 GMS-2022-788	XML Injection in Xerces Java affects Nokogiri ## Summary Nokogiri v1.13.4 updates the vendored `xerces:xercesImpl` from 2.12.0 to 2.12.2, which addresses [CVE-2022-23437](https://nvd.nist.gov/vuln/detail/CVE-2022-23437). That CVE is scored as CVSS 6.5 "Medium" on the NVD record. Please note that this advisory only applies to the JRuby implementation of Nokogiri `< 1.13.4`. ## Mitigation Upgrade to Nokogiri `>= v1.13.4`. ## Impact ### [CVE-2022-23437](https://nvd.nist.gov/vuln/detail/CVE-2022-23437) in xerces-J - Severity: Medium - Type: [CWE-91](https://cwe.mitre.org/data/definitions/91.html) XML Injection (aka Blind XPath Injection) - Description: There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions. - See also: https://github.com/advisories/GHSA-h65f-jvqw-m9fj	2.12.2 Affected by 0 other vulnerabilities.
VCID-guug-uscd-8yc7 Aliases: CVE-2009-2625 GHSA-334p-wv2m-w3vp		2.10.0 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-hz32-xjet-2uhq Aliases: CVE-2012-0881 GHSA-vmqm-g3vh-847m	Denial of service in Apache Xerces2 Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.	2.12.0 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-xpwb-tvp4-t7ed Aliases: CVE-2020-14338 GHSA-w4jq-qh47-hvjq	Improper Input Validation in Xerces A flaw was found in Wildfly's implementation of Xerces, specifically in the way the XMLSchemaValidator class in the JAXP component of Wildfly enforced the "use-grammar-pool-only" feature. This flaw allows a specially-crafted XML file to manipulate the validation process in certain cases. This issue is the same flaw as CVE-2020-14621, which affected OpenJDK, and uses a similar code. All xerces jboss versions before 2.12.0.SP3.	2.12.sp3 Affected by 0 other vulnerabilities. 2.12.0.sp3 Affected by 0 other vulnerabilities. 2.12.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-zt2n-vhms-x7by Aliases: CVE-2012-1724		2.4.0 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-1jx9-4esp-3ufk
Aliases:
CVE-2013-4002
GHSA-7j4h-8wpf-rqfh

2.12.0
Affected by 2 other vulnerabilities.

VCID-96gv-ug8n-juhb
Aliases:
CVE-2022-23437
GHSA-h65f-jvqw-m9fj
GHSA-xxx9-3xcr-gjj3
GMS-2022-788

XML Injection in Xerces Java affects Nokogiri ## Summary Nokogiri v1.13.4 updates the vendored `xerces:xercesImpl` from 2.12.0 to 2.12.2, which addresses [CVE-2022-23437](https://nvd.nist.gov/vuln/detail/CVE-2022-23437). That CVE is scored as CVSS 6.5 "Medium" on the NVD record. Please note that this advisory only applies to the **JRuby** implementation of Nokogiri `< 1.13.4`. ## Mitigation Upgrade to Nokogiri `>= v1.13.4`. ## Impact ### [CVE-2022-23437](https://nvd.nist.gov/vuln/detail/CVE-2022-23437) in xerces-J - **Severity**: Medium - **Type**: [CWE-91](https://cwe.mitre.org/data/definitions/91.html) XML Injection (aka Blind XPath Injection) - **Description**: There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions. - **See also**: https://github.com/advisories/GHSA-h65f-jvqw-m9fj

2.12.2
Affected by 0 other vulnerabilities.

VCID-guug-uscd-8yc7
Aliases:
CVE-2009-2625
GHSA-334p-wv2m-w3vp

2.10.0
Affected by 4 other vulnerabilities.

VCID-hz32-xjet-2uhq
Aliases:
CVE-2012-0881
GHSA-vmqm-g3vh-847m

Denial of service in Apache Xerces2 Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.

2.12.0
Affected by 2 other vulnerabilities.

VCID-xpwb-tvp4-t7ed
Aliases:
CVE-2020-14338
GHSA-w4jq-qh47-hvjq

Improper Input Validation in Xerces A flaw was found in Wildfly's implementation of Xerces, specifically in the way the XMLSchemaValidator class in the JAXP component of Wildfly enforced the "use-grammar-pool-only" feature. This flaw allows a specially-crafted XML file to manipulate the validation process in certain cases. This issue is the same flaw as CVE-2020-14621, which affected OpenJDK, and uses a similar code. All xerces jboss versions before 2.12.0.SP3.

2.12.sp3
Affected by 0 other vulnerabilities.

2.12.0.sp3
Affected by 0 other vulnerabilities.

2.12.1
Affected by 1 other vulnerability.

VCID-zt2n-vhms-x7by
Aliases:
CVE-2012-1724

2.4.0
Affected by 5 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-01T10:14:38.892241+00:00	GitLab Importer	Affected by	VCID-xpwb-tvp4-t7ed	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/xerces/xercesImpl/CVE-2020-14338.yml	37.0.0
2025-08-01T10:11:12.235952+00:00	GitLab Importer	Affected by	VCID-96gv-ug8n-juhb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/xerces/xercesImpl/CVE-2022-23437.yml	37.0.0
2025-08-01T09:33:23.751921+00:00	GitLab Importer	Affected by	VCID-hz32-xjet-2uhq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/xerces/xercesImpl/CVE-2012-0881.yml	37.0.0
2025-08-01T08:52:15.509206+00:00	GitLab Importer	Affected by	VCID-1jx9-4esp-3ufk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/xerces/xercesImpl/CVE-2013-4002.yml	37.0.0
2025-08-01T08:51:28.575357+00:00	GitLab Importer	Affected by	VCID-guug-uscd-8yc7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/xerces/xercesImpl/CVE-2009-2625.yml	37.0.0
2025-08-01T08:41:36.779245+00:00	GHSA Importer	Affected by	VCID-96gv-ug8n-juhb	https://github.com/advisories/GHSA-h65f-jvqw-m9fj	37.0.0
2025-07-31T09:20:56.638604+00:00	GitLab Importer	Affected by	VCID-zt2n-vhms-x7by	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/xerces/xercesImpl/CVE-2012-1724.yml	37.0.0