Description

An XML external entity (XXE) injection vulnerability was discovered in the Any23 StreamUtils.java file and is known to affect Any23 versions < 2.5. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access.

Remediation

References

https://lists.apache.org/thread.html/r589d1a9f94dbeee7a0f5dbe8513a0e300dfe669bd964ba2fbfe28e07%40%3Cannounce.apache.org%3E

Related Vulnerabilities

CVE-2023-33005 Vulnerability in maven package org.jenkins-ci.plugins:wso2id-oauth

CVE-2020-1717 Vulnerability in maven package org.keycloak:keycloak-parent

CVE-2019-1003033 Vulnerability in maven package org.jenkins-ci.plugins:groovy

CVE-2022-45396 Vulnerability in maven package com.thalesgroup.hudson.plugins:sourcemonitor

CVE-2020-11975 Vulnerability in maven package org.apache.unomi:unomi-common

Severity

Critical

Classification

CWE-611 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Tags

Mailing List Vendor Advisory