Description
Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.
Remediation
References
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183208.html
http://rhn.redhat.com/errata/RHSA-2016-2822.html
http://rhn.redhat.com/errata/RHSA-2016-2823.html
http://www.debian.org/security/2016/dsa-3575
http://www.openwall.com/lists/oss-security/2016/03/25/8
http://www.openwall.com/lists/oss-security/2016/03/28/1
http://www.securityfocus.com/bid/85381
http://www.securitytracker.com/id/1036419
http://x-stream.github.io/changes.html#1.4.9
https://github.com/x-stream/xstream/issues/25
Related Vulnerabilities
CVE-2020-15999 Vulnerability in maven package org.webjars.npm:electron
CVE-2023-40339 Vulnerability in maven package org.jenkins-ci.plugins:config-file-provider
CVE-2022-24728 Vulnerability in maven package org.webjars.bowergithub.ckeditor:ckeditor4
CVE-2017-3586 Vulnerability in maven package mysql:mysql-connector-java
CVE-2022-36897 Vulnerability in maven package com.compuware.jenkins:compuware-xpediter-code-coverage