Description

Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.

Remediation

References

http://www.openwall.com/lists/oss-security/2016/03/25/8

http://www.debian.org/security/2016/dsa-3575

http://x-stream.github.io/changes.html#1.4.9

https://github.com/x-stream/xstream/issues/25

http://www.openwall.com/lists/oss-security/2016/03/28/1

http://www.securityfocus.com/bid/85381

http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183208.html

http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html

http://www.securitytracker.com/id/1036419

http://rhn.redhat.com/errata/RHSA-2016-2823.html

http://rhn.redhat.com/errata/RHSA-2016-2822.html

Related Vulnerabilities

CVE-2020-2217 Vulnerability in maven package org.jenkins-ci.plugins:compatibility-action-storage

CVE-2022-43417 Vulnerability in maven package org.jenkins-ci.plugins:katalon

CVE-2021-37695 Vulnerability in maven package org.webjars.bowergithub.ckeditor:ckeditor4

CVE-2019-17563 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2020-2303 Vulnerability in maven package org.jenkins-ci.plugins:active-directory

Severity

High

Classification

CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory VDB Entry Broken Link