CVE Vulnerabilities

CVE-2022-23437

Loop with Unreachable Exit Condition ('Infinite Loop')

Published: Jan 24, 2022 | Modified: Aug 08, 2023
CVSS 3.x
6.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVSS 2.x
7.1 HIGH
AV:N/AC:M/Au:N/C:N/I:N/A:C
RedHat/V2
RedHat/V3
6.5 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM

Theres a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

Weakness

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Affected Software

Name Vendor Start Version End Version
Xerces-j Apache * 2.12.1 (including)
Red Hat JBoss Enterprise Application Platform 7.1.0 RedHat xerces-j2 *
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 RedHat eap7-xerces-j2-0:2.12.0-3.SP04_redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 RedHat eap7-xerces-j2-0:2.12.0-3.SP04_redhat_00001.1.el7eap *
RHPAM 7.13.1 async RedHat xercesimpl *
Libxerces2-java Ubuntu bionic *
Libxerces2-java Ubuntu impish *
Libxerces2-java Ubuntu kinetic *
Libxerces2-java Ubuntu lunar *
Libxerces2-java Ubuntu trusty *
Libxerces2-java Ubuntu xenial *

References