CVE-2022-4245

A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.

Published: Sep 25, 2023
Updated: May 10, 2024
CVE: CVE-2022-4245
GHSA: GHSA-jcwr-x25h-x5fh
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.3
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWEs:

CWE-611
CWE-91

OWASP TOP 10:

A4 - XML External Entities (XXE)
A1 - Injection

Affected Software
References

Software	From	Fixed in
org.codehaus.plexus / plexus-utils	-	3.0.24
redhat / integration_camel_k	-	1.10.1
codehaus-plexus / plexus-utils	-	3.0.24

https://access.redhat.com/errata/RHSA-2023:2135
https://access.redhat.com/errata/RHSA-2023:3906
https://access.redhat.com/security/cve/CVE-2022-4245
https://bugzilla.redhat.com/show_bug.cgi?id=2149843
https://github.com/codehaus-plexus/plexus-utils/commit/f933e5e78dc2637e485447ed821fe14904f110de
https://github.com/codehaus-plexus/plexus-utils/issues/3
https://security.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-461102

Vulnerability Database

CVE-2022-4245

Deep Security Visibility Without the Complexity