Description
Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.
Remediation
References
http://www.openwall.com/lists/oss-security/2016/03/25/8
http://www.debian.org/security/2016/dsa-3575
http://x-stream.github.io/changes.html#1.4.9
https://github.com/x-stream/xstream/issues/25
http://www.openwall.com/lists/oss-security/2016/03/28/1
http://www.securityfocus.com/bid/85381
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183208.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html
http://www.securitytracker.com/id/1036419
http://rhn.redhat.com/errata/RHSA-2016-2823.html
http://rhn.redhat.com/errata/RHSA-2016-2822.html
Related Vulnerabilities
CVE-2020-35451 Vulnerability in maven package org.apache.oozie:oozie-tools
CVE-2023-3691 Vulnerability in maven package org.webjars.npm:layui
CVE-2017-12629 Vulnerability in maven package org.apache.solr:solr-core
CVE-2022-22931 Vulnerability in maven package org.apache.james:james-server
CVE-2021-36373 Vulnerability in maven package org.apache.ant:ant