Description
Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.
Remediation
References
http://www.openwall.com/lists/oss-security/2016/03/25/8
http://www.debian.org/security/2016/dsa-3575
http://x-stream.github.io/changes.html#1.4.9
https://github.com/x-stream/xstream/issues/25
http://www.openwall.com/lists/oss-security/2016/03/28/1
http://www.securityfocus.com/bid/85381
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183208.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html
http://www.securitytracker.com/id/1036419
http://rhn.redhat.com/errata/RHSA-2016-2823.html
http://rhn.redhat.com/errata/RHSA-2016-2822.html
Related Vulnerabilities
CVE-2022-36896 Vulnerability in maven package com.compuware.jenkins:compuware-scm-downloader
CVE-2019-16538 Vulnerability in maven package org.jenkins-ci.plugins:script-security
CVE-2020-36184 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind
CVE-2020-2192 Vulnerability in maven package org.jenkins-ci.plugins:swarm-plugin