VYPR
Get started
← All advisories
High severityNVD Advisory· Published Jul 23, 2013· Updated Apr 29, 2026

CVE-2013-4002

CVE-2013-4002

Description

XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
xerces:xercesImplMaven
< 2.12.02.12.0

Affected products

89
  • Apache/Xerces2 Java
    cpe:2.3:a:apache:xerces2_java:*:*:*:*:*:*:*:*
    Range: >=2.4.0,<2.12.0
  • IBM/Host On Demand11 versions
    cpe:2.3:a:ibm:host_on-demand:11.0:*:*:*:*:*:*:*+ 10 more
    • cpe:2.3:a:ibm:host_on-demand:11.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:host_on-demand:11.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:host_on-demand:11.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:host_on-demand:11.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:host_on-demand:11.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:host_on-demand:11.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:host_on-demand:11.0.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:host_on-demand:11.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:host_on-demand:11.0.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:host_on-demand:11.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:host_on-demand:11.0.8:*:*:*:*:*:*:*
  • IBM/Java43 versions
    cpe:2.3:a:ibm:java:5.0.0.0:*:*:*:*:*:*:*+ 42 more
    • cpe:2.3:a:ibm:java:5.0.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:5.0.11.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:5.0.11.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:5.0.11.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:5.0.12.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:5.0.12.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:5.0.12.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:5.0.12.3:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:5.0.12.4:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:5.0.12.5:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:5.0.13.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:5.0.14.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:5.0.15.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:5.0.16.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:5.0.16.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:5.0.16.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:6.0.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:6.0.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:6.0.10.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:6.0.10.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:6.0.11.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:6.0.12.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:6.0.13.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:6.0.13.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:6.0.13.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:6.0.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:6.0.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:6.0.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:6.0.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:6.0.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:6.0.7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:6.0.8.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:6.0.8.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:6.0.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:6.0.9.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:6.0.9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:7.0.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:7.0.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:7.0.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:7.0.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:7.0.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:7.0.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:java:7.0.4.2:*:*:*:*:*:*:*
  • IBM/Sterling B2b Integrator3 versions
    cpe:2.3:a:ibm:sterling_b2b_integrator:5.1:*:*:*:*:*:*:*+ 2 more
    • cpe:2.3:a:ibm:sterling_b2b_integrator:5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:sterling_b2b_integrator:5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:sterling_b2b_integrator:5.2.4:*:*:*:*:*:*:*
  • IBM/Sterling File Gateway2 versions
    cpe:2.3:a:ibm:sterling_file_gateway:2.1:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:ibm:sterling_file_gateway:2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:sterling_file_gateway:2.2:*:*:*:*:*:*:*
  • IBM/Tivoli Application Dependency Discovery Manager
    cpe:2.3:a:ibm:tivoli_application_dependency_discovery_manager:7.2.2:*:*:*:*:*:*:*
  • Oracle Corporation/Jdk3 versions
    cpe:2.3:a:oracle:jdk:1.5.0:update51:*:*:*:*:*:*+ 2 more
    • cpe:2.3:a:oracle:jdk:1.5.0:update51:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.6.0:update60:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.7.0:update40:*:*:*:*:*:*
  • Oracle Corporation/Jre3 versions
    cpe:2.3:a:oracle:jre:1.5.0:update51:*:*:*:*:*:*+ 2 more
    • cpe:2.3:a:oracle:jre:1.5.0:update51:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.6.0:update60:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.7.0:update40:*:*:*:*:*:*
  • Oracle Corporation/Jrockit
    cpe:2.3:a:oracle:jrockit:*:*:*:*:*:*:*:*
    Range: >=r27.7.0,<=r27.7.6
  • Canonical (company)/Ubuntu Linux5 versions
    cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*+ 4 more
    • cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*
    • cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
    • cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
    • cpe:2.3:o:canonical:ubuntu_linux:13.04:*:*:*:*:*:*:*
    • cpe:2.3:o:canonical:ubuntu_linux:13.10:*:*:*:*:*:*:*
  • OpenSUSE/openSUSE2 versions
    cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*
    • cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*
  • SUSE S.A./Linux Enterprise Desktop2 versions
    cpe:2.3:o:suse:linux_enterprise_desktop:10:sp4:*:*:-:*:*:*+ 1 more
    • cpe:2.3:o:suse:linux_enterprise_desktop:10:sp4:*:*:-:*:*:*
    • cpe:2.3:o:suse:linux_enterprise_desktop:11:sp3:*:*:*:*:*:*
  • SUSE S.A./Linux Enterprise Java3 versions
    cpe:2.3:o:suse:linux_enterprise_java:10:sp4:*:*:*:*:*:*+ 2 more
    • cpe:2.3:o:suse:linux_enterprise_java:10:sp4:*:*:*:*:*:*
    • cpe:2.3:o:suse:linux_enterprise_java:11:sp2:*:*:*:*:*:*
    • cpe:2.3:o:suse:linux_enterprise_java:11:sp3:*:*:*:*:*:*
  • SUSE S.A./Linux Enterprise Sdk2 versions
    cpe:2.3:o:suse:linux_enterprise_sdk:11:sp2:*:*:*:*:*:*+ 1 more
    • cpe:2.3:o:suse:linux_enterprise_sdk:11:sp2:*:*:*:*:*:*
    • cpe:2.3:o:suse:linux_enterprise_sdk:11:sp3:*:*:*:*:*:*
  • SUSE S.A./Linux Enterprise Server7 versions
    cpe:2.3:o:suse:linux_enterprise_server:10:sp3:*:*:ltss:*:*:*+ 6 more
    • cpe:2.3:o:suse:linux_enterprise_server:10:sp3:*:*:ltss:*:*:*
    • cpe:2.3:o:suse:linux_enterprise_server:10:sp4:*:*:-:*:*:*
    • cpe:2.3:o:suse:linux_enterprise_server:11:sp2:*:*:*:-:*:*
    • cpe:2.3:o:suse:linux_enterprise_server:11:sp2:*:*:*:vmware:*:*
    • cpe:2.3:o:suse:linux_enterprise_server:11:sp3:*:*:*:-:*:*
    • cpe:2.3:o:suse:linux_enterprise_server:11:sp3:*:*:*:vmware:*:*
    • cpe:2.3:o:suse:linux_enterprise_server:9:*:*:*:*:*:*:*

Patches

1
266e837852e0

The only legal names in XML 1.0/1.1 documents are 'version', 'encoding' and 'standalone'. Replacing the generic call to the scanner with a specialized method which only allows these legal XML pseudo attribute names. This improves the performance of the XML scanner when it is processing the XML declaration.

https://github.com/apache/xerces2-jMichael GlavassevichJul 3, 2013via ghsa
commit
1 file changed · +30 1
  • src/org/apache/xerces/impl/XMLScanner.java+30 1 modified
    @@ -542,7 +542,7 @@ public String scanPseudoAttribute(boolean scanningTextDecl,
         // document is until we scan the encoding declaration
         // you cannot reliably read any characters outside
         // of the ASCII range here. -- mrglavas
-        String name = fEntityScanner.scanName();
+        String name = scanPseudoAttributeName();
         XMLEntityManager.print(fEntityManager.getCurrentEntity());
         if (name == null) {
             reportFatalError("PseudoAttrNameExpected", null);
@@ -598,6 +598,35 @@ else if (isInvalidLiteral(c)) {
 
     } // scanPseudoAttribute(XMLString):String
     
+    /**
+     * Scans the name of a pseudo attribute. The only legal names
+     * in XML 1.0/1.1 documents are 'version', 'encoding' and 'standalone'.
+     * 
+     * @return the name of the pseudo attribute or <code>null</code>
+     * if a legal pseudo attribute name could not be scanned.
+     */
+    private String scanPseudoAttributeName() throws IOException, XNIException {
+        final int ch = fEntityScanner.peekChar();
+        switch (ch) {
+            case 'v':
+                if (fEntityScanner.skipString(fVersionSymbol)) {
+                    return fVersionSymbol;
+                }
+                break;
+            case 'e':
+                if (fEntityScanner.skipString(fEncodingSymbol)) {
+                    return fEncodingSymbol;
+                }
+                break;
+            case 's':
+                if (fEntityScanner.skipString(fStandaloneSymbol)) {
+                    return fStandaloneSymbol;
+                }
+                break;
+        }
+        return null;
+    } // scanPseudoAttributeName()
+    
     /**
      * Scans a processing instruction.
      * <p>

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

55

News mentions

0

No linked articles in our index yet.