CVE-2022-40152

Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

Published: Sep 16, 2022
Updated: May 9, 2024
CVE: CVE-2022-40152
GHSA: GHSA-3f7h-mf4q-vrm4
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-787

Affected Software
References

Software	From	Fixed in
fasterxml / woodstox	-	5.4.0
fasterxml / woodstox	6.0.0	6.4.0
com.fasterxml.woodstox / woodstox-core	6.0.0	6.4.0
com.fasterxml.woodstox / woodstox-core	-	5.4.0
xstream / xstream	-	1.4.20

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47434
https://github.com/FasterXML/woodstox/issues/157
https://github.com/FasterXML/woodstox/issues/160
https://github.com/FasterXML/woodstox/pull/159
https://github.com/x-stream/xstream/issues/304

Vulnerability Database

289,599

CVE-2022-40152