VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-ff7b-9g5f-aaar

Essentials
Severities (104)
References (19)
Severity details (7)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-ff7b-9g5f-aaar
Aliases	CVE-2020-14338 GHSA-w4jq-qh47-hvjq
Summary	A flaw was found in Wildfly's implementation of Xerces, specifically in the way the XMLSchemaValidator class in the JAXP component of Wildfly enforced the "use-grammar-pool-only" feature. This flaw allows a specially-crafted XML file to manipulate the validation process in certain cases. This issue is the same flaw as CVE-2020-14621, which affected OpenJDK, and uses a similar code. This flaw affects all Xerces JBoss versions before 2.12.0.SP3.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-20	Improper Input Validation
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
rhas	Moderate	https://access.redhat.com/errata/RHSA-2020:4244
rhas	Moderate	https://access.redhat.com/errata/RHSA-2020:4245
rhas	Moderate	https://access.redhat.com/errata/RHSA-2020:4246
rhas	Moderate	https://access.redhat.com/errata/RHSA-2020:4247
rhas	Moderate	https://access.redhat.com/errata/RHSA-2020:4931
rhas	Important	https://access.redhat.com/errata/RHSA-2020:5361
rhas	Important	https://access.redhat.com/errata/RHSA-2021:0600
rhas	Important	https://access.redhat.com/errata/RHSA-2021:0603
rhas	Moderate	https://access.redhat.com/errata/RHSA-2021:3140
cvssv3	5.3	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-14338.json
epss	0.00090	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00090	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00090	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00090	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00090	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00090	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00090	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00090	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00090	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00090	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00090	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00090	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00090	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00090	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00090	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00090	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00414	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00414	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00414	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00414	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00414	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00414	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00414	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00414	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00435	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.0048	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.0048	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.0048	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.0048	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00579	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00579	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00588	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00672	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00672	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00672	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00672	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00672	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
epss	0.00911	https://api.first.org/data/v1/epss?cve=CVE-2020-14338
rhbs	medium	https://bugzilla.redhat.com/show_bug.cgi?id=1860054
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-w4jq-qh47-hvjq
cvssv3.1	5.3	https://lists.apache.org/thread.html/rf96c5afb26b596b4b97883aa90b6c0b0fc4c26aaeea7123c21912103@%3Cj-users.xerces.apache.org%3E
generic_textual	MODERATE	https://lists.apache.org/thread.html/rf96c5afb26b596b4b97883aa90b6c0b0fc4c26aaeea7123c21912103@%3Cj-users.xerces.apache.org%3E
cvssv2	5.0	https://nvd.nist.gov/vuln/detail/CVE-2020-14338
cvssv3	5.3	https://nvd.nist.gov/vuln/detail/CVE-2020-14338
cvssv3.1	5.3	https://nvd.nist.gov/vuln/detail/CVE-2020-14338

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-14338.json
		https://api.first.org/data/v1/epss?cve=CVE-2020-14338
		https://lists.apache.org/thread.html/rf96c5afb26b596b4b97883aa90b6c0b0fc4c26aaeea7123c21912103@%3Cj-users.xerces.apache.org%3E
		https://lists.apache.org/thread.html/rf96c5afb26b596b4b97883aa90b6c0b0fc4c26aaeea7123c21912103%40%3Cj-users.xerces.apache.org%3E
1860054		https://bugzilla.redhat.com/show_bug.cgi?id=1860054
cpe:2.3:a:redhat:xerces::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:xerces::::::::
cpe:2.3:a:redhat:xerces:2.12.0:sp1::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:xerces:2.12.0:sp1::::::
cpe:2.3:a:redhat:xerces:2.12.0:sp2::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:xerces:2.12.0:sp2::::::
CVE-2020-14338		https://nvd.nist.gov/vuln/detail/CVE-2020-14338
GHSA-w4jq-qh47-hvjq		https://github.com/advisories/GHSA-w4jq-qh47-hvjq
RHSA-2020:4244		https://access.redhat.com/errata/RHSA-2020:4244
RHSA-2020:4245		https://access.redhat.com/errata/RHSA-2020:4245
RHSA-2020:4246		https://access.redhat.com/errata/RHSA-2020:4246
RHSA-2020:4247		https://access.redhat.com/errata/RHSA-2020:4247
RHSA-2020:4931		https://access.redhat.com/errata/RHSA-2020:4931
RHSA-2020:5361		https://access.redhat.com/errata/RHSA-2020:5361
RHSA-2021:0600		https://access.redhat.com/errata/RHSA-2021:0600
RHSA-2021:0603		https://access.redhat.com/errata/RHSA-2021:0603
RHSA-2021:3140		https://access.redhat.com/errata/RHSA-2021:3140

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-14338.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://lists.apache.org/thread.html/rf96c5afb26b596b4b97883aa90b6c0b0fc4c26aaeea7123c21912103@%3Cj-users.xerces.apache.org%3E

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-14338

Exploitability (E)	Access Vector (AV)	Access Complexity (AC)	Authentication (Au)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
high functional unproven proof_of_concept not_defined	local adjacent_network network	high medium low	multiple single none	none partial complete	none partial complete	none partial complete

Exploitability (E)

Access Vector (AV)

Access Complexity (AC)

Authentication (Au)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

partial

complete

none

partial

complete

none

partial

complete

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-14338

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-14338

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.39561
EPSS Score	0.00090
Published At	Nov. 1, 2024, midnight

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.