GHSA-3f7h-mf4q-vrm4

Опубликовано: 17 сент. 2022

Источник: github

Github: Прошло ревью

CVSS3: 6.5

Описание

Denial of Service due to parser crash

Those using FasterXML/woodstox to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

This vulnerability is only relevant for users making use of the DTD parsing functionality.

Ссылки

Пакеты

Наименование

com.fasterxml.woodstox:woodstox-core

maven

Затронутые версииВерсия исправления

>= 6.0.0, < 6.4.0

6.4.0

Наименование

com.fasterxml.woodstox:woodstox-core

maven

Затронутые версииВерсия исправления

< 5.4.0

5.4.0

EPSS

Процентиль: 73%

0.00762

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2022-40152

Дефекты

CWE-121

CWE-787

Связанные уязвимости

CVE-2022-40152

CVSS3: 6.5

ubuntu

больше 3 лет назад

Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.