Description
The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.
Remediation
References
https://issues.apache.org/jira/browse/XMLBEANS-517
https://lists.apache.org/thread.html/r2dc5588009dc9f0310b7382269f932cc96cae4c3901b747dda1a7fed%40%3Cjava-dev.axis.apache.org%3E
https://lists.apache.org/thread.html/rbb01d10512098894cd5f22325588197532c64f1c818ea7e4120d40c1%40%3Cjava-dev.axis.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/06/msg00024.html
https://poi.apache.org/
https://security.netapp.com/advisory/ntap-20210513-0004/
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
Related Vulnerabilities
CVE-2022-24785 Vulnerability in maven package org.webjars.bower:moment
CVE-2019-1003073 Vulnerability in maven package org.jenkins-ci.plugins:vsts-cd
CVE-2022-41249 Vulnerability in maven package com.meowlomo.jenkins:scm-httpclient
CVE-2022-23181 Vulnerability in maven package org.apache.tomcat:tomcat
CVE-2022-45207 Vulnerability in maven package org.jeecgframework.boot:jeecg-module-system