Description
Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.
Remediation
References
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183208.html
http://rhn.redhat.com/errata/RHSA-2016-2822.html
http://rhn.redhat.com/errata/RHSA-2016-2823.html
http://www.debian.org/security/2016/dsa-3575
http://www.openwall.com/lists/oss-security/2016/03/25/8
http://www.openwall.com/lists/oss-security/2016/03/28/1
http://www.securityfocus.com/bid/85381
http://www.securitytracker.com/id/1036419
http://x-stream.github.io/changes.html#1.4.9
https://github.com/x-stream/xstream/issues/25
Related Vulnerabilities
CVE-2022-26183 Vulnerability in npm package pnpm
CVE-2022-47105 Vulnerability in maven package org.jeecgframework.boot:jeecg-module-system
CVE-2017-3151 Vulnerability in maven package org.apache.atlas:apache-atlas
CVE-2019-16566 Vulnerability in maven package org.jenkins-ci.plugins:teamconcert
CVE-2018-19839 Vulnerability in maven package org.webjars.npm:node-sass