Description
Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.
Remediation
References
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183208.html
http://rhn.redhat.com/errata/RHSA-2016-2822.html
http://rhn.redhat.com/errata/RHSA-2016-2823.html
http://www.debian.org/security/2016/dsa-3575
http://www.openwall.com/lists/oss-security/2016/03/25/8
http://www.openwall.com/lists/oss-security/2016/03/28/1
http://www.securityfocus.com/bid/85381
http://www.securitytracker.com/id/1036419
http://x-stream.github.io/changes.html#1.4.9
https://github.com/x-stream/xstream/issues/25
Related Vulnerabilities
CVE-2020-7618 Vulnerability in npm package sds
CVE-2022-23458 Vulnerability in maven package org.webjars.bowergithub.nhn:tui.grid
CVE-2017-16006 Vulnerability in maven package org.webjars:remarkable
CVE-2022-37259 Vulnerability in npm package steal
CVE-2021-40111 Vulnerability in maven package org.apache.james:james-server