CVE-2009-2625 · threatengine.sh

Home/CVE/XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15

CVE

CVE-2009-2625

XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15

XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.

MEDIUM · CVSS 5 EPSS 0.01044

Monitor

No active-exploitation, high-EPSS, or public-exploit signals - routine patching cadence

Sigma rules0 YARA rules0

▤

Affected Products & Versions

9

oracle jdkall versions
fedoraproject fedoraall versions
opensuseall versions
suse linux enterprise serverall versions
debian linuxall versions
canonical ubuntu linuxall versions
oracle primavera p6 enterprise project portfolio managementall versions
oracle primavera web servicesall versions
Show all 9 affected productsapache xerces2 javaall versions

▤

Affected Packages

1

Language-ecosystem packages (from OSV) tied to this CVE, with the version that fixes it - the dependency-level detail NVD doesn’t carry.

Maven xerces:xercesImpl MODERATE fixed in 2.10.0

▣

Scoring & Timeline

5

MEDIUM · CVSS v2 (legacy) · cret@cert.org

View on NVD

This CVE predates CVSS v3; the legacy v2 score is shown so triage still has a severity to work with.

v2 Vector

AV:N/AC:L/Au:N/C:N/I:N/A:P

Published to NVD06 Aug 2009 · 03:30 PM

⚑

Vendor Advisories

30

suse-csafopenSUSE-SU-2024:10077-1
suse-csafopenSUSE-SU-2024:10268-1
suse-csafopenSUSE-SU-2024:10568-1
suse-csafopenSUSE-SU-2024:11586-1
rhsaRHSA-2017:3239Moderate
Show all 30 vendor advisoriesrhsaRHSA-2013:0763Moderate
rhsaRHSA-2012:1232Important
rhsaRHSA-2011:0896Low
rhsaRHSA-2011:0492Moderate
rhsaRHSA-2011:0491Moderate
usnUSN-890-1
rhsaRHSA-2009:1636Low
rhsaRHSA-2009:1649Low
rhsaRHSA-2009:1637Low
rhsaRHSA-2009:1650Low
rhsaRHSA-2009:1625Moderate
rhsaRHSA-2009:1551Important
rhsaRHSA-2010:0043Important
rhsaRHSA-2009:1662Important
usnUSN-814-1
rhsaRHSA-2009:1200Moderate
rhsaRHSA-2009:1199Low
rhsaRHSA-2009:1582Moderate
rhsaRHSA-2009:1236Moderate
rhsaRHSA-2009:1201Moderate
rhsaRHSA-2012:1537Moderate
rhsaRHSA-2012:0725Moderate
rhsaRHSA-2009:1505Moderate
rhsaRHSA-2009:1615Moderate
rhsaRHSA-2011:0858Moderate

🔗

References & Sources

63

Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.

http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.htmlMailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.htmlThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.htmlThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.htmlThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.htmlThird Party Advisory

http://marc.info/?l=bugtraq&m=125787273209737&w=2Mailing ListThird Party Advisory

Show all 63 references

http://rhn.redhat.com/errata/RHSA-2012-1232.htmlBroken Link

http://rhn.redhat.com/errata/RHSA-2012-1537.htmlBroken Link

http://secunia.com/advisories/36162Third Party Advisory

http://secunia.com/advisories/36176Third Party Advisory

http://secunia.com/advisories/36180Third Party Advisory

http://secunia.com/advisories/36199Third Party Advisory

http://secunia.com/advisories/37300Third Party Advisory

http://secunia.com/advisories/37460Third Party Advisory

http://secunia.com/advisories/37671Third Party Advisory

http://secunia.com/advisories/37754Third Party Advisory

http://secunia.com/advisories/38231Third Party Advisory

http://secunia.com/advisories/38342Third Party Advisory

http://secunia.com/advisories/43300Third Party Advisory

http://secunia.com/advisories/50549Third Party Advisory

http://slackware.com/security/viewer.php?l=slackware-security&y=2011&m=slackware-security.486026Third Party Advisory

http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1Broken LinkPatch

http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1Broken LinkPatchVendor Advisory

http://sunsolve.sun.com/search/document.do?assetkey=1-66-272209-1Broken Link

http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021506.1-1Broken Link

http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=572055&r2=787352&pathrev=787353&diff_format=hPatchVendor Advisory

http://www.cert.fi/en/reports/2009/vulnerability2009085.htmlThird Party Advisory

http://www.codenomicon.com/labs/xml/Third Party Advisory

http://www.debian.org/security/2010/dsa-1984Third Party Advisory

http://www.mandriva.com/security/advisories?name=MDVSA-2009:209Third Party Advisory

http://www.mandriva.com/security/advisories?name=MDVSA-2011:108Third Party Advisory

http://www.networkworld.com/columnists/2009/080509-xml-flaw.htmlThird Party Advisory

http://www.openwall.com/lists/oss-security/2009/09/06/1Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2009/10/22/9Mailing ListPatchThird Party Advisory

http://www.openwall.com/lists/oss-security/2009/10/23/6Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2009/10/26/3Mailing ListThird Party Advisory

http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.htmlThird Party Advisory

http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.htmlBroken Link

http://www.redhat.com/support/errata/RHSA-2009-1615.htmlThird Party Advisory

http://www.redhat.com/support/errata/RHSA-2011-0858.htmlThird Party Advisory

http://www.securityfocus.com/archive/1/507985/100/0/threadedThird Party AdvisoryVDB Entry

http://www.securityfocus.com/bid/35958Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id?1022680Third Party AdvisoryVDB Entry

http://www.ubuntu.com/usn/USN-890-1Third Party Advisory

http://www.us-cert.gov/cas/techalerts/TA09-294A.htmlThird Party AdvisoryUS Government Resource

http://www.us-cert.gov/cas/techalerts/TA10-012A.htmlThird Party AdvisoryUS Government Resource

http://www.vmware.com/security/advisories/VMSA-2009-0016.htmlThird Party Advisory

http://www.vupen.com/english/advisories/2009/2543Permissions Required

http://www.vupen.com/english/advisories/2009/3316Permissions Required

http://www.vupen.com/english/advisories/2011/0359Permissions Required

https://bugzilla.redhat.com/show_bug.cgi?id=512921Issue TrackingThird Party Advisory

https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8520Third Party Advisory

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9356Third Party Advisory

https://rhn.redhat.com/errata/RHSA-2009-1199.htmlBroken Link

https://rhn.redhat.com/errata/RHSA-2009-1200.htmlBroken Link

https://rhn.redhat.com/errata/RHSA-2009-1201.htmlBroken Link

https://rhn.redhat.com/errata/RHSA-2009-1636.htmlBroken Link

https://rhn.redhat.com/errata/RHSA-2009-1637.htmlBroken Link

https://rhn.redhat.com/errata/RHSA-2009-1649.htmlBroken Link

https://rhn.redhat.com/errata/RHSA-2009-1650.htmlBroken Link

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.htmlMailing ListThird Party Advisory

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.htmlMailing ListThird Party Advisory

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

NVD CVE.org CISA Vulners Exploit-DB GitHub PoC VulnCheck KEV GreyNoise

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin