Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

We have requested that one will remain for woodstox (CVE-2022-40152), and that the duplicates (CVE-2022-40153, CVE-2022-40154, CVE-2022-40155 and CVE-2022-40156) will be deleted. Those using Woodstox in Xstream have DTD support enabled by default, at least that's the way how the vulnerability in woodstox was found, see [Xstream fuzz target](https://github.com/google/oss-fuzz/blob/master/projects/xstream/XmlFuzzer.java). #320

Closed
dockter34 opened this issue Dec 7, 2022 · 1 comment
Closed

We have requested that one will remain for woodstox (CVE-2022-40152), and that the duplicates (CVE-2022-40153, CVE-2022-40154, CVE-2022-40155 and CVE-2022-40156) will be deleted. Those using Woodstox in Xstream have DTD support enabled by default, at least that's the way how the vulnerability in woodstox was found, see [Xstream fuzz target](https://github.com/google/oss-fuzz/blob/master/projects/xstream/XmlFuzzer.java). #320

dockter34 opened this issue Dec 7, 2022 · 1 comment
Assignees
@joehni
Labels
notification
Milestone
1.4.20

Comments

@dockter34
Copy link 

    We have requested that one will remain for woodstox (CVE-2022-40152), and that the duplicates (CVE-2022-40153, CVE-2022-40154, CVE-2022-40155 and CVE-2022-40156) will be deleted. Those using Woodstox in Xstream have DTD support enabled by default, at least that's the way how the vulnerability in woodstox was found, see [Xstream fuzz target](https://github.com/google/oss-fuzz/blob/master/projects/xstream/XmlFuzzer.java).

One will remain for Xstream (CVE-2022-40151) which is still open, see #314.

Originally posted by @henryrneh in #304 (comment)
@joehni joehni self-assigned this Dec 7, 2022
@joehni joehni added this to the 1.4.x milestone Dec 7, 2022
@joehni joehni modified the milestones: 1.4.x, 1.4.20 Dec 23, 2022
@Lonzak
Copy link

Lonzak commented Aug 2, 2023

We have requested that [...] that the duplicates (CVE-2022-40153, CVE-2022-40154, CVE-2022-40155 and CVE-2022-40156) will be deleted

You have requested it where? At MITRE corporation?

Update:
Ok found it myself - the CVEs have been REJECTED at MITRE:

** [REJECT]** DO NOT USE THIS CANDIDATE NUMBER. Reason: This CVE has been rejected as it was incorrectly assigned. All references and descriptions in this candidate have been removed to prevent accidental usage.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40153
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40154
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40155
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40156

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@joehni joehni

Labels
notification
Projects
None yet
Milestone
1.4.20
Development

No branches or pull requests
3 participants
@joehni @Lonzak @dockter34