XML External Entity (XXE) Injection Affecting org.codehaus.plexus:plexus-utils package, versions [,3.0.24)
Do your applications use this vulnerable package?
6 Sep 2019
21 Sep 2015
How to fix?
org.codehaus.plexus:plexus-utils to version 3.0.24 or higher.
org.codehaus.plexus:plexus-utils is a collection of various utility classes to ease working with strings, files, command lines, XML and more.
Affected versions of this package are vulnerable to XML External Entity (XXE) Injection.
org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a
--> sequence. This means that text contained in the command string could be interpreted as XML and allow for XML injection.