Description
An XML external entity (XXE) injection vulnerability was discovered in the Any23 StreamUtils.java file and is known to affect Any23 versions < 2.5. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access.
Remediation
References
https://lists.apache.org/thread.html/r589d1a9f94dbeee7a0f5dbe8513a0e300dfe669bd964ba2fbfe28e07%40%3Cannounce.apache.org%3E
Related Vulnerabilities
CVE-2017-7681 Vulnerability in maven package org.apache.openmeetings:openmeetings-server
CVE-2022-45379 Vulnerability in maven package org.jenkins-ci.plugins:script-security
CVE-2019-0205 Vulnerability in maven package org.apache.thrift:libthrift
CVE-2022-42920 Vulnerability in maven package org.apache.bcel:bcel
CVE-2023-42278 Vulnerability in maven package cn.hutool:hutool-core