CVE-2009-2625

Description

XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.

5.0
CVSS
Severity: Medium
CVSS 2.0 •
EPSS 0.33%
Vendor Advisory slackware.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory ubuntu.com Vendor Advisory debian.org Vendor Advisory sun.com Vendor Advisory redhat.com Vendor Advisory marc.info Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory opensuse.org Vendor Advisory mandriva.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory sun.com Vendor Advisory mandriva.com Vendor Advisory redhat.com Vendor Advisory opensuse.org Vendor Advisory redhat.com Vendor Advisory sun.com Vendor Advisory apple.com Vendor Advisory opensuse.org Vendor Advisory redhat.com Vendor Advisory opensuse.org Vendor Advisory redhat.com Vendor Advisory apache.org
Affected: n/a n/a
Published at:
Updated at:

References

Link Tags
http://slackware.com/security/viewer.php?l=slackware-security&y=2011&m=slackware-security.486026 third party advisory vendor advisory
https://rhn.redhat.com/errata/RHSA-2009-1200.html vendor advisory broken link
https://rhn.redhat.com/errata/RHSA-2009-1199.html vendor advisory broken link
http://www.networkworld.com/columnists/2009/080509-xml-flaw.html third party advisory
http://www.ubuntu.com/usn/USN-890-1 third party advisory vendor advisory
http://secunia.com/advisories/36162 third party advisory
http://www.vupen.com/english/advisories/2009/2543 vdb entry permissions required
http://www.debian.org/security/2010/dsa-1984 third party advisory vendor advisory
http://www.openwall.com/lists/oss-security/2009/10/22/9 mailing list third party advisory patch
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021506.1-1 vendor advisory broken link
http://secunia.com/advisories/37460 third party advisory
http://www.redhat.com/support/errata/RHSA-2009-1615.html third party advisory vendor advisory
http://www.vmware.com/security/advisories/VMSA-2009-0016.html third party advisory
http://marc.info/?l=bugtraq&m=125787273209737&w=2 mailing list third party advisory vendor advisory
http://secunia.com/advisories/37754 third party advisory
https://rhn.redhat.com/errata/RHSA-2009-1637.html vendor advisory broken link
http://www.cert.fi/en/reports/2009/vulnerability2009085.html third party advisory
http://www.codenomicon.com/labs/xml/ third party advisory
http://secunia.com/advisories/36199 third party advisory
http://rhn.redhat.com/errata/RHSA-2012-1537.html vendor advisory broken link
http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html third party advisory vendor advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2009:209 third party advisory vendor advisory
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html mailing list third party advisory vendor advisory
http://www.redhat.com/support/errata/RHSA-2011-0858.html third party advisory vendor advisory
http://www.securitytracker.com/id?1022680 vdb entry third party advisory
http://secunia.com/advisories/37671 third party advisory
http://secunia.com/advisories/38342 third party advisory
https://rhn.redhat.com/errata/RHSA-2009-1636.html vendor advisory broken link
http://www.securityfocus.com/bid/35958 vdb entry third party advisory
http://www.securityfocus.com/archive/1/507985/100/0/threaded mailing list vdb entry third party advisory
https://rhn.redhat.com/errata/RHSA-2009-1649.html vendor advisory broken link
http://www.openwall.com/lists/oss-security/2009/10/26/3 third party advisory mailing list
http://www.us-cert.gov/cas/techalerts/TA09-294A.html third party advisory us government resource
http://secunia.com/advisories/50549 third party advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8520 vdb entry third party advisory signature
http://secunia.com/advisories/36180 third party advisory
http://secunia.com/advisories/38231 third party advisory
http://sunsolve.sun.com/search/document.do?assetkey=1-66-272209-1 vendor advisory broken link
http://www.mandriva.com/security/advisories?name=MDVSA-2011:108 third party advisory vendor advisory
http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html third party advisory
http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html broken link
http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1 patch broken link
http://secunia.com/advisories/36176 third party advisory
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html mailing list third party advisory vendor advisory
http://secunia.com/advisories/43300 third party advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9356 vdb entry third party advisory signature
http://www.us-cert.gov/cas/techalerts/TA10-012A.html third party advisory us government resource
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html third party advisory vendor advisory
http://rhn.redhat.com/errata/RHSA-2012-1232.html vendor advisory broken link
http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1 broken link patch vendor advisory
http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=572055&r2=787352&pathrev=787353&diff_format=h patch vendor advisory
http://secunia.com/advisories/37300 third party advisory
http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html mailing list third party advisory vendor advisory
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html third party advisory vendor advisory
https://bugzilla.redhat.com/show_bug.cgi?id=512921 issue tracking third party advisory
https://rhn.redhat.com/errata/RHSA-2009-1201.html vendor advisory broken link
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html third party advisory vendor advisory
http://www.openwall.com/lists/oss-security/2009/09/06/1 third party advisory mailing list
http://www.openwall.com/lists/oss-security/2009/10/23/6 third party advisory mailing list
http://www.vupen.com/english/advisories/2011/0359 vdb entry permissions required
http://www.vupen.com/english/advisories/2009/3316 vdb entry permissions required
https://rhn.redhat.com/errata/RHSA-2009-1650.html vendor advisory broken link
https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E mailing list

Frequently Asked Questions

What is the severity of CVE-2009-2625?
CVE-2009-2625 has been scored as a medium severity vulnerability.
How to fix CVE-2009-2625?
To fix CVE-2009-2625, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2009-2625 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2009-2625 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.