Bug 2149843 (CVE-2022-4245) - CVE-2022-4245 codehaus-plexus: XML External Entity (XXE) Injection
Summary: CVE-2022-4245 codehaus-plexus: XML External Entity (XXE) Injection
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-4245
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2156483 2156484 2156485 2156486 2156488 2156489 2156491 2157638 2157639 2157640 2157641 2157642 2157643 2157644
Blocks: 2149832
TreeView+ depends on / blocked
 
Reported: 2022-12-01 06:45 UTC by Sandipan Roy
Modified: 2023-09-22 14:13 UTC (History)
78 users (show)

Fixed In Version: codehaus-plexus 3.0.24
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.
Clone Of:
Environment:
Last Closed: 2023-06-28 20:18:23 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:3906 0 None None None 2023-06-28 15:59:20 UTC

Description Sandipan Roy 2022-12-01 06:45:39 UTC 
org.codehaus.plexus:plexus-utils is a collection of various utility classes to ease working with strings, files, command lines, XML and more.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This means that text contained in the command string could be interpreted as XML and allow for XML injection.

https://security.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-461102
Comment 5 Patrick Del Bello 2023-01-02 12:59:15 UTC 
Created extra-enforcer-rules tracking bugs for this issue:

Affects: fedora-37 [bug 2157638]


Created maven tracking bugs for this issue:

Affects: fedora-37 [bug 2157639]


Created maven-antrun-plugin tracking bugs for this issue:

Affects: fedora-37 [bug 2157640]


Created maven-compiler-plugin tracking bugs for this issue:

Affects: fedora-37 [bug 2157641]


Created maven-plugin-bundle tracking bugs for this issue:

Affects: fedora-37 [bug 2157642]


Created maven-source-plugin tracking bugs for this issue:

Affects: fedora-37 [bug 2157643]


Created pomchecker tracking bugs for this issue:

Affects: fedora-37 [bug 2157644]
Comment 8 Chess Hazlett 2023-05-31 14:55:54 UTC 
adjusting RHPAM from OOSS to affected/delegated per request from engineering in https://issues.redhat.com/browse/RHDM-1949.
Comment 11 errata-xmlrpc 2023-06-28 15:59:16 UTC 
This issue has been addressed in the following products:

  RHINT Camel-K-1.10.1

Via RHSA-2023:3906 https://access.redhat.com/errata/RHSA-2023:3906
Comment 12 Product Security DevOps Team 2023-06-28 20:18:19 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-4245
Comment 13 Pedro Sampaio 2023-07-27 14:08:39 UTC 
The component is shipped in rhint-camel-spring-boot-3 but its not used. Changing specific impact to low.
Note You need to log in before you can comment on or make changes to this bug.