High severityNVD Advisory· Published Jul 23, 2013· Updated Jun 16, 2026
CVE-2013-4002
CVE-2013-4002
Description
XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
xerces:xercesImplMaven | < 2.12.0 | 2.12.0 |
Affected products
91cpe:2.3:a:ibm:host_on-demand:11.0:*:*:*:*:*:*:*+ 10 more
- cpe:2.3:a:ibm:host_on-demand:11.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:host_on-demand:11.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:host_on-demand:11.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:host_on-demand:11.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:host_on-demand:11.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:host_on-demand:11.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:host_on-demand:11.0.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:host_on-demand:11.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:host_on-demand:11.0.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:host_on-demand:11.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:host_on-demand:11.0.8:*:*:*:*:*:*:*
cpe:2.3:a:ibm:java:5.0.0.0:*:*:*:*:*:*:*+ 42 more
- cpe:2.3:a:ibm:java:5.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:5.0.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:5.0.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:5.0.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:5.0.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:5.0.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:5.0.12.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:5.0.12.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:5.0.12.4:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:5.0.12.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:5.0.13.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:5.0.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:5.0.15.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:5.0.16.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:5.0.16.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:5.0.16.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:6.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:6.0.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:6.0.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:6.0.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:6.0.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:6.0.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:6.0.13.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:6.0.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:6.0.13.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:6.0.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:6.0.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:6.0.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:6.0.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:6.0.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:6.0.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:6.0.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:6.0.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:6.0.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:6.0.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:6.0.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:7.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:7.0.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:7.0.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:7.0.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:7.0.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:7.0.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:java:7.0.4.2:*:*:*:*:*:*:*
cpe:2.3:a:ibm:sterling_b2b_integrator:5.1:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:ibm:sterling_b2b_integrator:5.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:sterling_b2b_integrator:5.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:sterling_b2b_integrator:5.2.4:*:*:*:*:*:*:*
cpe:2.3:a:ibm:sterling_file_gateway:2.1:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:ibm:sterling_file_gateway:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:sterling_file_gateway:2.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_application_dependency_discovery_manager:7.2.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.5.0:update51:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:oracle:jdk:1.5.0:update51:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update60:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update40:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.5.0:update51:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:oracle:jre:1.5.0:update51:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.6.0:update60:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update40:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*+ 4 more
- cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:13.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:13.10:*:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_desktop:10:sp4:*:*:-:*:*:*+ 1 more
- cpe:2.3:o:suse:linux_enterprise_desktop:10:sp4:*:*:-:*:*:*
- cpe:2.3:o:suse:linux_enterprise_desktop:11:sp3:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_java:10:sp4:*:*:*:*:*:*+ 2 more
- cpe:2.3:o:suse:linux_enterprise_java:10:sp4:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_java:11:sp2:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_java:11:sp3:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_sdk:11:sp2:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:suse:linux_enterprise_sdk:11:sp2:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_sdk:11:sp3:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_server:10:sp3:*:*:ltss:*:*:*+ 6 more
- cpe:2.3:o:suse:linux_enterprise_server:10:sp3:*:*:ltss:*:*:*
- cpe:2.3:o:suse:linux_enterprise_server:10:sp4:*:*:-:*:*:*
- cpe:2.3:o:suse:linux_enterprise_server:11:sp2:*:*:*:-:*:*
- cpe:2.3:o:suse:linux_enterprise_server:11:sp2:*:*:*:vmware:*:*
- cpe:2.3:o:suse:linux_enterprise_server:11:sp3:*:*:*:-:*:*
- cpe:2.3:o:suse:linux_enterprise_server:11:sp3:*:*:*:vmware:*:*
- cpe:2.3:o:suse:linux_enterprise_server:9:*:*:*:*:*:*:*
- ghsa-coords2 versions
< 2.12.0+ 1 more
- (no CPE)range: < 2.12.0
- (no CPE)range: < 1.7.0.121-1.1
Patches
Vulnerability mechanics
References
55- svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.javanvdPatchVendor AdvisoryWEB
- lists.opensuse.org/opensuse-security-announce/2013-07/msg00026.htmlnvdThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-security-announce/2013-07/msg00027.htmlnvdThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-security-announce/2013-07/msg00028.htmlnvdThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-security-announce/2013-07/msg00029.htmlnvdThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-security-announce/2013-08/msg00000.htmlnvdThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-security-announce/2013-08/msg00003.htmlnvdThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-security-announce/2013-11/msg00010.htmlnvdThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-updates/2013-11/msg00023.htmlnvdThird Party AdvisoryWEB
- marc.infonvdIssue TrackingMailing ListThird Party AdvisoryWEB
- marc.infonvdIssue TrackingMailing ListThird Party AdvisoryWEB
- secunia.com/advisories/56257nvdThird Party Advisory
- security.gentoo.org/glsa/glsa-201406-32.xmlnvdThird Party AdvisoryWEB
- support.apple.com/kb/HT5982nvdThird Party AdvisoryWEB
- www-01.ibm.com/support/docview.wssnvdVendor AdvisoryWEB
- www-01.ibm.com/support/docview.wssnvdVendor AdvisoryWEB
- www-01.ibm.com/support/docview.wssnvdVendor AdvisoryWEB
- www-01.ibm.com/support/docview.wssnvdVendor AdvisoryWEB
- www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS13-025/index.htmlnvdThird Party AdvisoryWEB
- www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_filenet_content_manager_and_ibm_content_foundation_xml_4j_denial_of_service_attack_cve_2013_4002nvdVendor AdvisoryWEB
- www.ibm.com/developerworks/java/jdk/alerts/nvdVendor AdvisoryWEB
- www.securityfocus.com/bid/61310nvdThird Party AdvisoryVDB Entry
- www.ubuntu.com/usn/USN-2033-1nvdThird Party AdvisoryWEB
- www.ubuntu.com/usn/USN-2089-1nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2014:0414nvdThird Party AdvisoryWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/85260nvdVDB EntryVendor AdvisoryWEB
- github.com/advisories/GHSA-7j4h-8wpf-rqfhghsaADVISORY
- issues.apache.org/jira/browse/XERCESJ-1679nvdIssue TrackingVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2013-4002ghsaADVISORY
- www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.htmlnvdThird Party AdvisoryWEB
- lists.apple.com/archives/security-announce/2013/Oct/msg00001.htmlnvdBroken LinkMailing ListWEB
- rhn.redhat.com/errata/RHSA-2013-1059.htmlnvdBroken LinkWEB
- rhn.redhat.com/errata/RHSA-2013-1060.htmlnvdBroken LinkWEB
- rhn.redhat.com/errata/RHSA-2013-1081.htmlnvdBroken LinkWEB
- rhn.redhat.com/errata/RHSA-2013-1440.htmlnvdBroken LinkWEB
- rhn.redhat.com/errata/RHSA-2013-1447.htmlnvdBroken LinkWEB
- rhn.redhat.com/errata/RHSA-2013-1451.htmlnvdBroken LinkWEB
- rhn.redhat.com/errata/RHSA-2013-1505.htmlnvdBroken LinkWEB
- rhn.redhat.com/errata/RHSA-2014-1818.htmlnvdBroken LinkWEB
- rhn.redhat.com/errata/RHSA-2014-1821.htmlnvdBroken LinkWEB
- rhn.redhat.com/errata/RHSA-2014-1822.htmlnvdBroken LinkWEB
- rhn.redhat.com/errata/RHSA-2014-1823.htmlnvdBroken LinkWEB
- rhn.redhat.com/errata/RHSA-2015-0675.htmlnvdBroken LinkWEB
- rhn.redhat.com/errata/RHSA-2015-0720.htmlnvdBroken LinkWEB
- rhn.redhat.com/errata/RHSA-2015-0765.htmlnvdBroken LinkWEB
- rhn.redhat.com/errata/RHSA-2015-0773.htmlnvdBroken LinkWEB
- www.ibm.com/support/docview.wssnvdBroken LinkWEB
- github.com/apache/xerces2-j/commit/266e837852e0f0e3c8c1ad572b6fc4dbb4ded17ghsaWEB
- lists.apache.org/thread.html/49dc6702104a86ecbb40292dcd329ce9ae4c32b74733199ecab14a73@%3Cj-users.xerces.apache.org%3EghsaWEB
- lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3EghsaWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlnvdWEB
- lists.apache.org/thread.html/49dc6702104a86ecbb40292dcd329ce9ae4c32b74733199ecab14a73%40%3Cj-users.xerces.apache.org%3Envd
- lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3Envd
- lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3Envd
News mentions
0No linked articles in our index yet.