Moderate severityNVD Advisory· Published Aug 6, 2009· Updated Jun 16, 2026
CVE-2009-2625
CVE-2009-2625
Description
XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
xerces:xercesImplMaven | < 2.10.0 | 2.10.0 |
Affected products
58- cpe:2.3:a:apache:xerces2_java:2.9.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.5.0:-:*:*:*:*:*:*+ 32 more
- cpe:2.3:a:oracle:jdk:1.5.0:-:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update1:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update10:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update11:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update12:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update13:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update14:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update15:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update16:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update17:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update18:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update19:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update2:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update3:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update4:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update5:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update6:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update7:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update8:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update9:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:-:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update1:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update10:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update11:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update12:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update13:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update14:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update2:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update3:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update4:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update5:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update6:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update7:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:6.1:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:6.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:6.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:7.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_web_services:6.2.1:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:oracle:primavera_web_services:6.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_web_services:7.0:-:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_web_services:7.0:sp1:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:9.10:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:10:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:fedoraproject:fedora:10:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:11:*:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_server:10:sp2:*:*:*:*:*:*+ 3 more
- cpe:2.3:o:suse:linux_enterprise_server:10:sp2:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_server:10:sp3:*:*:-:*:*:*
- cpe:2.3:o:suse:linux_enterprise_server:11:-:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_server:9:*:*:*:*:*:*:*
- ghsa-coords2 versions
< 2.10.0+ 1 more
- (no CPE)range: < 2.10.0
- (no CPE)range: < 2.2.0-3.1
Patches
Vulnerability mechanics
References
69- sunsolve.sun.com/search/document.donvdBroken LinkPatchWEB
- sunsolve.sun.com/search/document.donvdBroken LinkPatchVendor AdvisoryWEB
- svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.javanvdPatchVendor AdvisoryWEB
- www.openwall.com/lists/oss-security/2009/10/22/9nvdMailing ListPatchThird Party AdvisoryWEB
- lists.apple.com/archives/security-announce/2009/Sep/msg00000.htmlnvdMailing ListThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.htmlnvdThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.htmlnvdThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.htmlnvdThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.htmlnvdThird Party AdvisoryWEB
- marc.infonvdMailing ListThird Party AdvisoryWEB
- secunia.com/advisories/36162nvdThird Party AdvisoryWEB
- secunia.com/advisories/36176nvdThird Party AdvisoryWEB
- secunia.com/advisories/36180nvdThird Party AdvisoryWEB
- secunia.com/advisories/36199nvdThird Party AdvisoryWEB
- secunia.com/advisories/37300nvdThird Party AdvisoryWEB
- secunia.com/advisories/37460nvdThird Party AdvisoryWEB
- secunia.com/advisories/37671nvdThird Party AdvisoryWEB
- secunia.com/advisories/37754nvdThird Party AdvisoryWEB
- secunia.com/advisories/38231nvdThird Party AdvisoryWEB
- secunia.com/advisories/38342nvdThird Party AdvisoryWEB
- secunia.com/advisories/43300nvdThird Party AdvisoryWEB
- secunia.com/advisories/50549nvdThird Party AdvisoryWEB
- slackware.com/security/viewer.phpnvdThird Party AdvisoryWEB
- www.cert.fi/en/reports/2009/vulnerability2009085.htmlnvdThird Party AdvisoryWEB
- www.codenomicon.com/labs/xml/nvdThird Party Advisory
- www.debian.org/security/2010/dsa-1984nvdThird Party AdvisoryWEB
- www.mandriva.com/security/advisoriesnvdThird Party AdvisoryWEB
- www.mandriva.com/security/advisoriesnvdThird Party AdvisoryWEB
- www.networkworld.com/columnists/2009/080509-xml-flaw.htmlnvdThird Party AdvisoryWEB
- www.openwall.com/lists/oss-security/2009/09/06/1nvdMailing ListThird Party AdvisoryWEB
- www.openwall.com/lists/oss-security/2009/10/23/6nvdMailing ListThird Party AdvisoryWEB
- www.openwall.com/lists/oss-security/2009/10/26/3nvdMailing ListThird Party AdvisoryWEB
- www.oracle.com/technetwork/topics/security/cpujan2010-084891.htmlnvdThird Party AdvisoryWEB
- www.redhat.com/support/errata/RHSA-2009-1615.htmlnvdThird Party AdvisoryWEB
- www.redhat.com/support/errata/RHSA-2011-0858.htmlnvdThird Party AdvisoryWEB
- www.securityfocus.com/archive/1/507985/100/0/threadednvdThird Party AdvisoryVDB EntryWEB
- www.securityfocus.com/bid/35958nvdThird Party AdvisoryVDB EntryWEB
- www.securitytracker.com/idnvdThird Party AdvisoryVDB EntryWEB
- www.ubuntu.com/usn/USN-890-1nvdThird Party AdvisoryWEB
- www.us-cert.gov/cas/techalerts/TA09-294A.htmlnvdThird Party AdvisoryUS Government ResourceWEB
- www.us-cert.gov/cas/techalerts/TA10-012A.htmlnvdThird Party AdvisoryUS Government ResourceWEB
- www.vmware.com/security/advisories/VMSA-2009-0016.htmlnvdThird Party AdvisoryWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingThird Party AdvisoryWEB
- github.com/advisories/GHSA-334p-wv2m-w3vpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2009-2625ghsaADVISORY
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8520nvdThird Party AdvisoryWEB
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9356nvdThird Party AdvisoryWEB
- www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.htmlnvdMailing ListThird Party AdvisoryWEB
- www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.htmlnvdMailing ListThird Party AdvisoryWEB
- rhn.redhat.com/errata/RHSA-2012-1232.htmlnvdBroken LinkWEB
- rhn.redhat.com/errata/RHSA-2012-1537.htmlnvdBroken LinkWEB
- sunsolve.sun.com/search/document.donvdBroken LinkWEB
- sunsolve.sun.com/search/document.donvdBroken LinkWEB
- www.codenomicon.com/labs/xmlghsaWEB
- www.oracle.com/technetwork/topics/security/cpuoct2009-096303.htmlnvdBroken LinkWEB
- www.vupen.com/english/advisories/2009/2543nvdPermissions RequiredWEB
- www.vupen.com/english/advisories/2009/3316nvdPermissions RequiredWEB
- www.vupen.com/english/advisories/2011/0359nvdPermissions RequiredWEB
- github.com/apache/xerces2-j/commit/0bdf77af1d4fd26ec2e630fb6d12e2dfa77bc12bghsaWEB
- lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3EghsaWEB
- rhn.redhat.com/errata/RHSA-2009-1199.htmlnvdBroken LinkWEB
- rhn.redhat.com/errata/RHSA-2009-1200.htmlnvdBroken LinkWEB
- rhn.redhat.com/errata/RHSA-2009-1201.htmlnvdBroken LinkWEB
- rhn.redhat.com/errata/RHSA-2009-1636.htmlnvdBroken LinkWEB
- rhn.redhat.com/errata/RHSA-2009-1637.htmlnvdBroken LinkWEB
- rhn.redhat.com/errata/RHSA-2009-1649.htmlnvdBroken LinkWEB
- rhn.redhat.com/errata/RHSA-2009-1650.htmlnvdBroken LinkWEB
- snyk.io/vuln/SNYK-JAVA-XERCES-32014ghsaWEB
- lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3Envd
News mentions
0No linked articles in our index yet.