CVE-2020-14338: 
Java vulnerability analysis and mitigation

A flaw was discovered in Wildfly's implementation of Xerces, specifically in the XMLSchemaValidator class within the JAXP component. The vulnerability (CVE-2020-14338) affects all Xerces JBoss versions before 2.12.0.SP3 and is related to the incomplete application of the 'use-grammar-pool-only' feature. This issue is similar to CVE-2020-14621 which affected OpenJDK (CVE Database, Red Hat Bugzilla).

The vulnerability exists in the way the XMLSchemaValidator class in the JAXP component of Wildfly enforces the 'use-grammar-pool-only' feature. The flaw allows manipulation of the XML validation process through specially-crafted XML files in certain cases. The issue was assigned a severity rating of 'Moderate' by Red Hat Product Security (Red Hat Bugzilla).

When exploited, this vulnerability allows an attacker to manipulate the XML validation process using specially-crafted XML files, potentially affecting the security of applications using the affected versions of Xerces within Wildfly (CVE Database).

The vulnerability was addressed through multiple security updates. Red Hat released fixes in various products including JBoss Enterprise Application Platform 7.3 for RHEL 6, 7, and 8, EAP 7.3.3, Red Hat Single Sign-On 7.4.3, and other related products. The fix was implemented in Xerces JBoss version 2.12.0.SP3 (Red Hat Bugzilla).