Описание
Уязвимость библиотеки codehaus-plexus фреймворка Apache Maven связана с неверным ограничением XML-ссылок на внешние объекты. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, выполнить произвольный код
Вендор
Red Hat Inc.
Сообщество свободного программного обеспечения
Novell Inc.
Codehaus
Elastic NV
Наименование ПО
Red Hat Enterprise Linux
Red Hat JBoss Fuse
Debian GNU/Linux
Red Hat Software Collections
Red Hat Single Sign-On
Red Hat JBoss Data Grid
SUSE Linux Enterprise Module for Development Tools
A-MQ Clients
Red Hat Process Automation
Red Hat build of Quarkus
Red Hat Integration Service Registry
Red Hat Integration Camel Quarkus
Red Hat Data Grid
Red Hat JBoss Fuse Service Works
Red Hat JBoss Enterprise Application Platform Expansion Pack
SUSE Linux Enterprise High Performance Computing
Suse Linux Enterprise Server
SUSE Linux Enterprise Server for SAP Applications
SUSE Manager Proxy
SUSE Manager Server
Suse Linux Enterprise Desktop
SUSE Enterprise Storage
SUSE Manager Retail Branch Server
Red Hat Integration Change Data Capture
SUSE Linux Enterprise Real Time
SUSE Linux Enterprise Server Business Critical Linux
Decision Manager
Red Hat Integration Camel for Spring Boot
Red Hat JBoss A-MQ
Red Hat JBoss Enterprise Application Platform
Red Hat support for Spring Boot
Red Hat A-MQ Online
Plexus
Red Hat Integration Camel K
Red Hat JBoss Web Server
Logstash
Red Hat Process Automation Manager
Версия ПО
7 (Red Hat Enterprise Linux)
7 (Red Hat JBoss Fuse)
10 (Debian GNU/Linux)
- (Red Hat Software Collections)
7 (Red Hat Single Sign-On)
6 (Red Hat JBoss Fuse)
7 (Red Hat JBoss Data Grid)
15 SP2 (SUSE Linux Enterprise Module for Development Tools)
2 (A-MQ Clients)
7 (Red Hat Process Automation)
- (Red Hat build of Quarkus)
- (Red Hat Integration Service Registry)
- (Red Hat Integration Camel Quarkus)
11 (Debian GNU/Linux)
12 (Debian GNU/Linux)
8 (Red Hat Data Grid)
6 (Red Hat JBoss Fuse Service Works)
- (Red Hat JBoss Enterprise Application Platform Expansion Pack)
15 SP3 (SUSE Linux Enterprise High Performance Computing)
15 SP3 (Suse Linux Enterprise Server)
15 SP3 (SUSE Linux Enterprise Server for SAP Applications)
4.2 (SUSE Manager Proxy)
4.2 (SUSE Manager Server)
15 SP3 (Suse Linux Enterprise Desktop)
7 (SUSE Enterprise Storage)
15 SP2 (Suse Linux Enterprise Server)
15 SP2 (SUSE Linux Enterprise Server for SAP Applications)
4.1 (SUSE Manager Server)
4.1 (SUSE Manager Proxy)
15 SP2-ESPOS (SUSE Linux Enterprise High Performance Computing)
15 SP2-LTSS (SUSE Linux Enterprise High Performance Computing)
15 SP3 (SUSE Linux Enterprise Module for Development Tools)
4.1 (SUSE Manager Retail Branch Server)
15 SP2 (Suse Linux Enterprise Desktop)
15 SP2 (SUSE Linux Enterprise High Performance Computing)
- (Red Hat Integration Change Data Capture)
15 SP4 (Suse Linux Enterprise Desktop)
15 SP2-BCL (Suse Linux Enterprise Server)
15 SP4 (SUSE Linux Enterprise Server for SAP Applications)
4.2 (SUSE Manager Retail Branch Server)
15 SP2-LTSS (Suse Linux Enterprise Server)
15 SP2 (SUSE Linux Enterprise Real Time)
4.3 (SUSE Manager Retail Branch Server)
4.3 (SUSE Manager Proxy)
4.3 (SUSE Manager Server)
15 SP4 (SUSE Linux Enterprise High Performance Computing)
7.1 (SUSE Enterprise Storage)
15 SP4 (SUSE Linux Enterprise Module for Development Tools)
15 SP2 (SUSE Linux Enterprise Server Business Critical Linux)
7 (Decision Manager)
- (Red Hat Integration Camel for Spring Boot)
15 SP3-ESPOS (SUSE Linux Enterprise High Performance Computing)
15 SP3-LTSS (SUSE Linux Enterprise High Performance Computing)
15 SP3 (SUSE Linux Enterprise Real Time)
15 SP3-BCL (Suse Linux Enterprise Server)
15 SP5 (SUSE Linux Enterprise Server for SAP Applications)
15 SP5 (Suse Linux Enterprise Server)
15 SP5 (Suse Linux Enterprise Desktop)
7 (Red Hat JBoss A-MQ)
15 SP5 (SUSE Linux Enterprise High Performance Computing)
15 SP5 (SUSE Linux Enterprise Module for Development Tools)
15 SP4 (SUSE Linux Enterprise Real Time)
6 (Red Hat JBoss Enterprise Application Platform)
- (Red Hat support for Spring Boot)
- (Red Hat A-MQ Online)
15 SP4-ESPOS (SUSE Linux Enterprise High Performance Computing)
15 SP4-LTSS (SUSE Linux Enterprise High Performance Computing)
до 3.0.24 (Plexus)
15 SP4-LTSS (Suse Linux Enterprise Server)
1.10.1 (Red Hat Integration Camel K)
3 (Red Hat JBoss Web Server)
15 SP3 (SUSE Linux Enterprise Server Business Critical Linux)
8.12.1 (Logstash)
7.13.1 async (Red Hat Process Automation Manager)
Тип ПО
Операционная система
Прикладное ПО информационных систем
Сетевое программное средство
Сетевое средство
Операционные системы и аппаратные платформы
Red Hat Inc. Red Hat Enterprise Linux 7
Сообщество свободного программного обеспечения Debian GNU/Linux 10
Сообщество свободного программного обеспечения Debian GNU/Linux 11
Сообщество свободного программного обеспечения Debian GNU/Linux 12
Novell Inc. Suse Linux Enterprise Server 15 SP3
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP3
Novell Inc. Suse Linux Enterprise Desktop 15 SP3
Novell Inc. Suse Linux Enterprise Server 15 SP2
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP2
Novell Inc. Suse Linux Enterprise Desktop 15 SP2
Novell Inc. Suse Linux Enterprise Desktop 15 SP4
Novell Inc. Suse Linux Enterprise Server 15 SP2-BCL
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP4
Novell Inc. Suse Linux Enterprise Server 15 SP2-LTSS
Novell Inc. SUSE Linux Enterprise Real Time 15 SP2
Novell Inc. SUSE Linux Enterprise Server Business Critical Linux 15 SP2
Novell Inc. SUSE Linux Enterprise Real Time 15 SP3
Novell Inc. Suse Linux Enterprise Server 15 SP3-BCL
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP5
Novell Inc. Suse Linux Enterprise Server 15 SP5
Novell Inc. Suse Linux Enterprise Desktop 15 SP5
Novell Inc. SUSE Linux Enterprise Real Time 15 SP4
Novell Inc. Suse Linux Enterprise Server 15 SP4-LTSS
Novell Inc. SUSE Linux Enterprise Server Business Critical Linux 15 SP3
Уровень опасности уязвимости
Средний уровень опасности (базовая оценка CVSS 2.0 составляет 4)
Средний уровень опасности (базовая оценка CVSS 3.0 составляет 4,3)
Возможные меры по устранению уязвимости
Использование рекомендаций:
Для программных продуктов Novell Inc.:
https://www.suse.com/security/cve/CVE-2022-4245.html
Для программных продуктов Red Hat Inc.:
https://access.redhat.com/security/cve/CVE-2022-4246
Для codehaus-plexus:
https://github.com/codehaus-plexus/plexus-utils/issues/3
https://github.com/codehaus-plexus/plexus-utils/commit/f933e5e78dc2637e485447ed821fe14904f110de
Для Debian GNU/Linux:
https://security-tracker.debian.org/tracker/CVE-2022-4245
Для Logstash:
Организационные меры:
1. Ограничить использование программного средства
2. Использование аналогичного программного средства
Статус уязвимости
Подтверждена производителем
Наличие эксплойта
Данные уточняются
Информация об устранении
Уязвимость устранена
Ссылки на источники
Идентификаторы других систем описаний уязвимостей
- CVE
EPSS
Процентиль: 34%
0.00138
Низкий
4.3 Medium
CVSS3
4 Medium
CVSS2
Связанные уязвимости
CVSS3: 4.3
ubuntu
больше 2 лет назад
A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.
CVSS3: 4.3
redhat
около 3 лет назад
A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.
CVSS3: 4.3
nvd
больше 2 лет назад
A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.
CVSS3: 4.3
debian
больше 2 лет назад
A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml. ...
EPSS
Процентиль: 34%
0.00138
Низкий
4.3 Medium
CVSS3
4 Medium
CVSS2