CVE-2019-12400
Description
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x releases before 2.1.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Santuario XML Security for Java 2.0.3+ and 2.1.x before 2.1.4 improperly caches DocumentBuilders, allowing untrusted code to inject a malicious implementation via the context class loader.
Vulnerability
Analysis
CVE-2019-12400 is a security flaw in Apache Santuario XML Security for Java versions 2.0.3 through 2.0.x and all 2.1.x releases prior to 2.1.4. The vulnerability arises from a caching mechanism introduced to improve performance; the library uses a static pool of DocumentBuilders to speed up XML document creation. However, an attacker who can register a malicious DocumentBuilder implementation with the thread context class loader before Santuario initializes its cache may cause the library to cache and reuse that rogue implementation [4].
Exploitation
Exploitation requires that untrusted code can execute prior to Santuario's first use of the DocumentBuilder pool, typically in environments like application servers where multiple components share a JVM. If the attacker can load a malicious class via the context class loader, the cached builder will be used for subsequent XML signature verification or document processing, potentially bypassing security checks [1][2][3].
Impact
Successful exploitation could allow an attacker to subvert XML Signature validation, leading to forged or altered signed documents being accepted as authentic. The impact is primarily on the integrity and trustworthiness of XML-based signatures within affected applications [4].
Mitigation
Apache Santuario has fixed this issue in version 2.1.4. Users of affected releases should upgrade to 2.1.4 or a later version. Red Hat has also released patched packages in RHSA-2020:0804, RHSA-2020:0805, RHSA-2020:0806 for Red Hat JBoss Enterprise Application Platform [1][2][3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.santuario:xmlsecMaven | >= 2.0.3, < 2.1.4 | 2.1.4 |
Affected products
3- ghsa-coords2 versions
>= 2.0.3, < 2.1.4+ 1 more
- (no CPE)range: >= 2.0.3, < 2.1.4
- (no CPE)range: < 2.1.7-1.1
- Range: All 2.0.x releases from 2.0.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
24- access.redhat.com/errata/RHSA-2020:0804ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2020:0805ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2020:0806ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2020:0811ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-4q98-wr72-h35wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-12400ghsaADVISORY
- santuario.apache.org/secadv.data/CVE-2019-12400.ascghsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/8e814b925bf580bc527d96ff51e72ffe5bdeaa4b8bf5b89498cab24c%40%3Cdev.santuario.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/8e814b925bf580bc527d96ff51e72ffe5bdeaa4b8bf5b89498cab24c@%3Cdev.santuario.apache.org%3EghsaWEB
- lists.apache.org/thread.html/edaa7edb9c58e5f5bd0c950f2b6232b62b15f5c44ad803e8728308ce%40%3Cdev.santuario.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/edaa7edb9c58e5f5bd0c950f2b6232b62b15f5c44ad803e8728308ce@%3Cdev.santuario.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r107bffb06a5e27457fe9af7dfe3a233d0d36c6c2f5122f117eb7f626%40%3Ccommits.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r107bffb06a5e27457fe9af7dfe3a233d0d36c6c2f5122f117eb7f626@%3Ccommits.tomee.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd@%3Ccommits.santuario.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rcdc0da94fe21b26493eae47ca987a290bdf90c721a7a42491fdd41d4%40%3Ccommits.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rcdc0da94fe21b26493eae47ca987a290bdf90c721a7a42491fdd41d4@%3Ccommits.tomee.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rf82be0a7c98cd3545e20817bb96ed05551ea0020acbaf9a469fef402%40%3Ccommits.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rf82be0a7c98cd3545e20817bb96ed05551ea0020acbaf9a469fef402@%3Ccommits.tomee.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rf958cea96236de8829940109ae07e870aa3d59235345421e4924ff03%40%3Ccommits.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rf958cea96236de8829940109ae07e870aa3d59235345421e4924ff03@%3Ccommits.tomee.apache.org%3EghsaWEB
- security.netapp.com/advisory/ntap-20190910-0003ghsaWEB
- security.netapp.com/advisory/ntap-20190910-0003/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.