Description

Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.

Remediation

References

http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html

http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183208.html

http://rhn.redhat.com/errata/RHSA-2016-2822.html

http://rhn.redhat.com/errata/RHSA-2016-2823.html

http://www.debian.org/security/2016/dsa-3575

http://www.openwall.com/lists/oss-security/2016/03/25/8

http://www.openwall.com/lists/oss-security/2016/03/28/1

http://www.securityfocus.com/bid/85381

http://www.securitytracker.com/id/1036419

http://x-stream.github.io/changes.html#1.4.9

https://github.com/x-stream/xstream/issues/25

Related Vulnerabilities

CVE-2014-0120 Vulnerability in maven package io.hawt:hawtio-system

CVE-2021-22144 Vulnerability in maven package org.elasticsearch:elasticsearch

CVE-2020-26282 Vulnerability in maven package com.browserup:browserup-proxy-rest

CVE-2017-3165 Vulnerability in maven package org.apache.brooklyn:brooklyn-jsgui

CVE-2023-46122 Vulnerability in maven package org.scala-sbt:io_2.13

Severity

High

Classification

CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Third Party Advisory Broken Link Mailing List VDB Entry Vendor Advisory