Description

An XML external entity (XXE) injection vulnerability was discovered in the Any23 StreamUtils.java file and is known to affect Any23 versions < 2.5. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access.

Remediation

References

https://lists.apache.org/thread.html/r589d1a9f94dbeee7a0f5dbe8513a0e300dfe669bd964ba2fbfe28e07%40%3Cannounce.apache.org%3E

Related Vulnerabilities

CVE-2023-49299 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-master

CVE-2022-45400 Vulnerability in maven package org.jvnet.hudson.plugins:japex

CVE-2020-2224 Vulnerability in maven package org.jenkins-ci.plugins:matrix-project

CVE-2019-10350 Vulnerability in maven package org.jenkins-ci.plugins:port-allocator

CVE-2023-40337 Vulnerability in maven package org.jenkins-ci.plugins:cloudbees-folder

Severity

Critical

Classification

CWE-611 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Tags

Mailing List Vendor Advisory