Description
Apache Flex BlazeDS, as used in flex-messaging-core.jar in Adobe LiveCycle Data Services (LCDS) 3.0.x before 3.0.0.354170, 4.5 before 4.5.1.354169, 4.6.2 before 4.6.2.354169, and 4.7 before 4.7.0.354169 and other products, allows remote attackers to read arbitrary files via an AMF message containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Remediation
References
http://marc.info/?l=bugtraq&m=145706712500978&w=2
http://www.securityfocus.com/archive/1/536266/100/0/threaded
http://www.securityfocus.com/bid/76394
http://www.securitytracker.com/id/1033337
http://www.vmware.com/security/advisories/VMSA-2015-0008.html
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05026202
https://helpx.adobe.com/content/help/en/security/products/coldfusion/apsb15-21.html
https://helpx.adobe.com/security/products/livecycleds/apsb15-20.html
https://www.zerodayinitiative.com/advisories/ZDI-22-508/
Related Vulnerabilities
CVE-2019-10792 Vulnerability in npm package bodymen
CVE-2015-7499 Vulnerability in npm package libxmljs
CVE-2022-39313 Vulnerability in npm package parse-server
CVE-2018-1000194 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2017-7678 Vulnerability in maven package org.apache.spark:spark-core_2.11