CVE-2022-4245 - Vulnerability Details

- Codehaus-plexus: xml external entity (xxe) injection

Description

A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.

Published: 2023-09-25

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Red Hat	RHINT Camel-K-1.10.1	unaffected	—
Red Hat	RHPAM 7.13.1 async	unaffected	—
Red Hat	A-MQ Clients 2	affected	—
Red Hat	Red Hat A-MQ Online	affected	—
Red Hat	Red Hat build of Apache Camel for Spring Boot	affected	—
Red Hat	Red Hat build of Quarkus	affected	—
Red Hat	Red Hat Data Grid 8	affected	—
Red Hat	Red Hat Decision Manager 7	unknown	—
Red Hat	Red Hat Enterprise Linux 7	unknown	—
Red Hat	Red Hat Enterprise Linux 8	unaffected	—
Red Hat	Red Hat Enterprise Linux 8	unaffected	—
Red Hat	Red Hat Enterprise Linux 9	unaffected	—
Red Hat	Red Hat Enterprise Linux 9	unaffected	—
Red Hat	Red Hat Integration Camel Quarkus	affected	—
Red Hat	Red Hat Integration Change Data Capture	affected	—
Red Hat	Red Hat Integration Service Registry	affected	—
Red Hat	Red Hat JBoss A-MQ 7	affected	—
Red Hat	Red Hat JBoss Data Grid 7	unknown	—
Red Hat	Red Hat JBoss Enterprise Application Platform 6	unknown	—
Red Hat	Red Hat JBoss Enterprise Application Platform 7	unaffected	—
Red Hat	Red Hat JBoss Enterprise Application Platform Expansion Pack	unaffected	—
Red Hat	Red Hat JBoss Fuse 6	unknown	—
Red Hat	Red Hat JBoss Fuse 7	affected	—
Red Hat	Red Hat JBoss Fuse Service Works 6	unknown	—
Red Hat	Red Hat JBoss Web Server 3	unknown	—
Red Hat	Red Hat JBoss Web Server 5	unaffected	—
Red Hat	Red Hat OpenShift Application Runtimes	unaffected	—
Red Hat	Red Hat Process Automation 7	affected	—
Red Hat	Red Hat Single Sign-On 7	affected	—
Red Hat	Red Hat Software Collections	affected	—
Red Hat	Red Hat Software Collections	unaffected	—
Red Hat	Red Hat Software Collections	unaffected	—
Red Hat	Red Hat Software Collections	affected	—
Red Hat	Red Hat Software Collections	affected	—
Red Hat	Red Hat Software Collections	unaffected	—
Red Hat	Red Hat Software Collections	affected	—
Red Hat	Red Hat Software Collections	unaffected	—
Red Hat	Red Hat Software Collections	affected	—
Red Hat	Red Hat Software Collections	affected	—
Red Hat	Red Hat Software Collections	affected	—
Red Hat	Red Hat Software Collections	unaffected	—
Red Hat	Red Hat support for Spring Boot	affected	—

Configuration 1 [-]

cpe:2.3:a:codehaus-plexus:plexus-utils:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:redhat:integration_camel_k:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
RHINT Camel-K-1.10.1
codehaus-plexus	cpe:/a:redhat:camel_k:1	RHSA-2023:3906	2023-06-28T00:00:00Z
RHPAM 7.13.1 async
	cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13	RHSA-2023:2135	2023-05-04T00:00:00Z

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2023-2535	A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.
Github GHSA	GHSA-jcwr-x25h-x5fh	codehaus-plexus vulnerable to XML injection

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00059.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://access.redhat.com/errata/RHSA-2023:2135
https://access.redhat.com/errata/RHSA-2023:3906
https://access.redhat.com/security/cve/CVE-2022-4245
https://bugzilla.redhat.com/show_bug.cgi?id=2149843
https://nvd.nist.gov/vuln/detail/CVE-2022-4245
https://www.cve.org/CVERecord?id=CVE-2022-4245

History

Thu, 10 Oct 2024 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Codehaus-plexus Codehaus-plexus plexus-utils
CPEs	cpe:2.3:a:codehaus-plexus_project:codehaus-plexus::::::::	cpe:2.3:a:codehaus-plexus:plexus-utils::::::::
Vendors & Products	Codehaus-plexus Project Codehaus-plexus Project codehaus-plexus	Codehaus-plexus Codehaus-plexus plexus-utils

Subscriptions

Codehaus-plexus Plexus-utils

Redhat A Mq Clients Amq Broker Amq Online Camel K Camel Quarkus Camel Spring Boot Enterprise Linux Integration Integration Camel K Jboss Data Grid Jboss Enterprise Application Platform Jboss Enterprise Bpms Platform Jboss Enterprise Brms Platform Jboss Enterprise Web Server Jboss Fuse Jboss Fuse Service Works Jbosseapxp Openshift Application Runtimes Quarkus Red Hat Single Sign On Rhel Software Collections Service Registry

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2023-09-25T19:20:57.329Z

Updated: 2024-08-03T01:34:49.896Z

Reserved: 2022-12-01T06:39:39.475Z

Link: CVE-2022-4245

Vulnrichment

Updated: 2024-08-03T01:34:49.896Z

NVD

Status : Modified

Published: 2023-09-25T20:15:10.400

Modified: 2024-11-21T07:34:51.700

Link: CVE-2022-4245

Redhat

Severity : Moderate

Publid Date: 2022-12-01T00:00:00Z

Links: CVE-2022-4245 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object