{"containers": {"cna": {"affected": [{"product": "liquibase/liquibase", "vendor": "liquibase", "versions": [{"lessThan": "4.8.0", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-25T16:44:56.000Z", "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntrdev"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/liquibase/liquibase/commit/33d9d925082097fb1a3d2fc8e44423d964cd9381"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "source": {"advisory": "f1ae5779-b406-4594-a8a3-d089c68d6e70", "discovery": "EXTERNAL"}, "title": "Improper Restriction of XML External Entity Reference in liquibase/liquibase", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@huntr.dev", "ID": "CVE-2022-0839", "STATE": "PUBLIC", "TITLE": "Improper Restriction of XML External Entity Reference in liquibase/liquibase"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "liquibase/liquibase", "version": {"version_data": [{"version_affected": "<", "version_value": "4.8.0"}]}}]}, "vendor_name": "liquibase"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-611 Improper Restriction of XML External Entity Reference"}]}]}, "references": {"reference_data": [{"name": "https://huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70", "refsource": "CONFIRM", "url": "https://huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70"}, {"name": "https://github.com/liquibase/liquibase/commit/33d9d925082097fb1a3d2fc8e44423d964cd9381", "refsource": "MISC", "url": "https://github.com/liquibase/liquibase/commit/33d9d925082097fb1a3d2fc8e44423d964cd9381"}, {"name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}]}, "source": {"advisory": "f1ae5779-b406-4594-a8a3-d089c68d6e70", "discovery": "EXTERNAL"}}}, "adp": [{"title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/liquibase/liquibase/commit/33d9d925082097fb1a3d2fc8e44423d964cd9381"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"url": "http://seclists.org/fulldisclosure/2025/Apr/14"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:26:41.199Z"}}]}, "cveMetadata": {"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "assignerShortName": "@huntrdev", "cveId": "CVE-2022-0839", "datePublished": "2022-03-04T14:25:10.000Z", "dateReserved": "2022-03-03T00:00:00.000Z", "dateUpdated": "2025-11-03T19:26:41.199Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.2"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:liquibase:liquibase:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7182354-CBC3-4D65-952D-B3A42FBDA74D", "versionEndExcluding": "4.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:sqlcl:19c:*:*:*:*:*:*:*", "matchCriteriaId": "8ED7C03D-9CC5-41CA-8639-4055169DF369", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0."}, {"lang": "es", "value": "Una Restricci\u00f3n Inapropiada de la Referencia de Entidad Externa XML en el repositorio de GitHub liquibase/liquibase versiones anteriores a 4.8.0"}], "id": "CVE-2022-0839", "lastModified": "2025-11-03T20:15:52.180", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-04T15:15:09.097", "references": [{"source": "security@huntr.dev", "tags": ["Patch"], "url": "https://github.com/liquibase/liquibase/commit/33d9d925082097fb1a3d2fc8e44423d964cd9381"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70"}, {"source": "security@huntr.dev", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2025/Apr/14"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/liquibase/liquibase/commit/33d9d925082097fb1a3d2fc8e44423d964cd9381"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "security@huntr.dev", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHEA-2022:5463", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6.0", "product_name": "Red Hat Single Sign-On 7", "release_date": "2022-06-30T00:00:00Z"}, {"advisory": "RHBA-2022:5452", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", "package": "rh-sso7-0:1-4.el7sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 7", "release_date": "2022-06-30T00:00:00Z"}, {"advisory": "RHBA-2022:5452", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", "package": "rh-sso7-javapackages-tools-0:3.4.1-5.15.3.jbcs.el7", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 7", "release_date": "2022-06-30T00:00:00Z"}, {"advisory": "RHBA-2022:5452", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", "package": "rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el7sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 7", "release_date": "2022-06-30T00:00:00Z"}, {"advisory": "RHBA-2022:5454", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", "package": "rh-sso7-0:1-4.el8sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 8", "release_date": "2022-06-30T00:00:00Z"}, {"advisory": "RHBA-2022:5454", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", "package": "rh-sso7-javapackages-tools-0:3.4.1-5.15.6.el8sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 8", "release_date": "2022-06-30T00:00:00Z"}, {"advisory": "RHBA-2022:5454", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", "package": "rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el8sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 8", "release_date": "2022-06-30T00:00:00Z"}], "bugzilla": {"description": "liquibase: Improper Restriction of XML External Entity", "id": "2081484", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081484"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "verified"}, "cwe": "CWE-611", "details": ["Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0.", "A flaw was found in Liquiibase's XMLChangeLogSAXParser() function. It uses SAXParser with no FEATURE_SECURE_PROCESSING set, which could possibly allow XML External Entity (XXE) attacks."], "name": "CVE-2022-0839", "package_state": [{"cpe": "cpe:/a:redhat:jboss_operations_network:3", "fix_state": "Out of support scope", "package_name": "liquibase", "product_name": "Red Hat JBoss Operations Network 3"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Will not fix", "impact": "low", "package_name": "liquibase", "product_name": "Red Hat Satellite 6"}], "public_date": "2022-01-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-0839\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-0839\nhttps://huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70"], "statement": "The impact to Satellite up to 6.11 is very low, as it does not use custom or external XSD in Candlepin's liquibase changelog files. Satellite 6.12 and later versions are not affected by this flaw.", "threat_severity": "Important"}

{}