CVE-2022-4245

XML Injection (aka Blind XPath Injection) (CWE-91)

Published: Dec 1, 2022 / Updated: 23mo ago

010
CVSS 4.3EPSS 0.05%Medium
CVE info copied to clipboard

A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2022-4245. See article

Dec 1, 2022 at 7:18 AM / access.redhat.com
CVE Assignment

NVD published the first details for CVE-2022-4245

Sep 25, 2023 at 8:15 PM
Vendor Advisory

GitHub Advisories released a security advisory.

Sep 25, 2023 at 9:30 PM
EPSS

EPSS Score was set to: 0.05% (Percentile: 12.5%)

Sep 26, 2023 at 7:40 PM
Static CVE Timeline Graph

Affected Systems

Redhat/integration_camel_k
+null more

Patches

bugzilla.redhat.com
+null more

Attack Patterns

CAPEC-250: XML Injection
+null more

Vendor Advisory

[GHSA-jcwr-x25h-x5fh] codehaus-plexus vulnerable to XML injection
GitHub Security Advisory: GHSA-jcwr-x25h-x5fh Release Date: 2023-09-25 Update Date: 2023-09-26 Severity: Moderate CVE-2022-4245 Base Score: 4.3 Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Package Information Package: org.codehaus.plexus:plexus-utils Affected Versions: Patched Versions: 3.0.24 Description A flaw was found in codehaus-plexus.

References

(CVE-2022-4245) CVE-2022-4245 codehaus-plexus: XML External Entity (XXE) Injection
This site requires JavaScript to be enabled to function correctly, please enable it.
RHSA-2023:3906: Important: Red Hat Integration Camel K 1.10.1 release security update
Red Hat Integration Camel K 1.10.1 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed with this release.
CVE-2022-4245
Red Hat JBoss Enterprise Application Platform 6 - codehaus-plexus - Out of support scope Red Hat JBoss Data Grid 7 - codehaus-plexus - Out of support scope
See 9 more references

News

cveNotify : 🚨 CVE-2022-4245A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.🎖@cveNotify
cveNotify : 🚨 CVE-2022-4245A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.🎖@cveNotify
RHEL 7 : codehaus-plexus (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. The vendor has acknowledged the vulnerabilities but no solution has been provided.
DSA-2024-076: Security Update for Dell Secure Connect Gateway Appliance Vulnerabilities
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability. https://nvd.nist.gov Json CVE-2023-5072 See NVD link below for individual scores for each CVE.
ESB-2023.6617 - [RedHat] Red Hat Process Automation Manager 7.13.3: CVSS (Max): 9.8
This asynchronous security patch is an update to Red Hat Process Automation Manager 7. Contact information for the authors of the original document is included in the Security Bulletin above.
Multiple vulnerabilities in Red Hat Process Automation Manager 7.13
A remote attacker can pass specially crafted data to the application and cause a denial of service condition on the target system. A remote attacker can pass specially crafted XML data to the application and perform arbitrary actions on the system.
See 26 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:Low
Integrity:None
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI