{"id":"CVE-2022-23437","details":"There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.","aliases":["GHSA-h65f-jvqw-m9fj"],"modified":"2026-04-11T12:38:40.318872Z","published":"2022-01-24T15:15:09.317Z","related":["SUSE-SU-2022:0500-1","SUSE-SU-2022:0503-1","SUSE-SU-2022:0542-1","SUSE-SU-2022:14889-1","openSUSE-SU-2022:0500-1","openSUSE-SU-2022:0503-1","openSUSE-SU-2024:11845-1","openSUSE-SU-2024:11999-1","openSUSE-SU-2024:13165-1","openSUSE-SU-2024:14174-1","openSUSE-SU-2025:14697-1","openSUSE-SU-2026:10356-1"],"database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"2.12.1"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:apache:xerces-j:*:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"6.2.1.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"9.3.6"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"7.3"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:communications_asap:7.3:*:*:*:*:*:*:*"},{"extracted_events":[{"fixed":"9.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*"},{"extracted_events":[{"fixed":"9.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:*"},{"extracted_events":[{"fixed":"9.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*"},{"extracted_events":[{"introduced":"8.0.6.0.0"},{"last_affected":"8.0.9.0"},{"introduced":"8.1.0.0"},{"fixed":"8.1.2.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*"},{"extracted_events":[{"introduced":"8.0.6.0.0"},{"last_affected":"8.0.8.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:financial_services_behavior_detection_platform:*:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"8.1.1.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"8.1.1.1"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.1:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"8.1.2.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"8.0.8.2.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"8.0.8.3.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"8.0.7.1"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.1:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"8.0.7.2.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.2.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"8.0.8.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"8.0.8.1"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.1:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"8.1.1.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"8.1.1.1"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"12.4.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:flexcube_universal_banking:12.4.0:*:*:*:*:*:*:*"},{"extracted_events":[{"fixed":"13.9.4.2.2"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:*:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"13.9.4.2.2"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:13.9.4.2.2:*:*:*:*:*:*:*"},{"extracted_events":[{"fixed":"12.2.0.1.30"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*"},{"extracted_events":[{"introduced":"3.0.1"},{"last_affected":"3.0.5"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:health_sciences_information_manager:*:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"3.0.0.1"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:health_sciences_information_manager:3.0.0.1:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"6.2"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:ilearning:6.2:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"6.3"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:ilearning:6.3:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"8.58"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"8.59"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*"},{"extracted_events":[{"introduced":"17.7"},{"last_affected":"17.12.11"},{"introduced":"18.8.0"},{"last_affected":"18.8.14"},{"introduced":"19.12.0"},{"last_affected":"19.12.13"},{"introduced":"20.12.0"},{"last_affected":"20.12.8"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"3.6.1"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:product_lifecycle_analytics:3.6.1:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"16.0.3.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:retail_bulk_data_integration:16.0.3.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"13.2.8"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:retail_extract_transform_and_load:13.2.8:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"14.1.3.2"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:retail_financial_integration:14.1.3.2:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"15.0.3.1"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:retail_financial_integration:15.0.3.1:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"16.0.3"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:retail_financial_integration:16.0.3:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"19.0.1"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:retail_financial_integration:19.0.1:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"14.1.3.2"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:retail_integration_bus:14.1.3.2:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"15.0.3.1"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:retail_integration_bus:15.0.3.1:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"16.0.3"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:retail_integration_bus:16.0.3:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"19.0.1"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:retail_integration_bus:19.0.1:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"16.0.3"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"19.0.1"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:retail_merchandising_system:19.0.1:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"14.1.3.2"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:retail_service_backbone:14.1.3.2:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"15.0.3.1"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:retail_service_backbone:15.0.3.1:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"16.0.3"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:retail_service_backbone:16.0.3:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"19.0.1"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:retail_service_backbone:19.0.1:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"12.2.1.3.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"12.2.1.4.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"14.1.1.0.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*"}]},"references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2022/01/24/3"},{"type":"ADVISORY","url":"https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20221028-0005/"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/xerces2-j","events":[{"introduced":"0"},{"last_affected":"c9862305e4876e529d8fdba96639f1c3c196a87b"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"2.7"},{"last_affected":"2.7.0"}],"source":"CPE_FIELD","cpe":["cpe:2.3:a:oracle:banking_deposits_and_lines_of_credit_servicing:2.7:*:*:*:*:*:*:*","cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*"]}}],"versions":["Xerces-J_2_7_0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-23437.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}