XML External Entity (XXE) Injection Affecting org.codehaus.plexus:plexus-utils package, versions [,3.0.24)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.34% (72nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about XML External Entity (XXE) Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JAVA-ORGCODEHAUSPLEXUS-461102
  • published6 Sept 2019
  • disclosed21 Sept 2015
  • creditFlorian Weimer

Introduced: 21 Sep 2015

CVE-2022-4245  (opens in a new tab)
CWE-91  (opens in a new tab)

How to fix?

Upgrade org.codehaus.plexus:plexus-utils to version 3.0.24 or higher.

Overview

org.codehaus.plexus:plexus-utils is a collection of various utility classes to ease working with strings, files, command lines, XML and more.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This means that text contained in the command string could be interpreted as XML and allow for XML injection.

CVSS Scores

version 3.1