CVE-2019-12400

Name of the Vulnerable Software and Affected Versions Apache Santuario XML Security for Java versions 2.0.3 through 2.1.3

Description The issue is related to a caching mechanism introduced in version 2.0.3 of Apache Santuario XML Security for Java, which can lead to potential security flaws when validating signed documents. This is due to the possibility of untrusted code registering a malicious implementation with the thread context class loader, which might be cached and re-used by the software. The vulnerability is associated with insufficient input validation in the DOM analyzer of DocumentBuilders, allowing an attacker to gain unauthorized access to protected information.

Recommendations For Apache Santuario XML Security for Java versions 2.0.3 through 2.1.3, update to version 2.1.4 or later to resolve the issue. For versions prior to 2.1.4, consider disabling the caching mechanism for DocumentBuilders as a temporary workaround until a patch is available. At the moment, there is no other information about additional mitigation measures for this vulnerability.