Oxygen XML Editor
The Premier All-In-One XML Editing Suite
Oxygen XML Author
Single-Source XML Authoring and Multi-Channel Publishing
Oxygen XML Developer
The Required Tools for Designing XML Schemas and Transformation Pipelines
Oxygen JSON Editor
The Perfect Tool to Simplify Your JSON Editing Experience
Oxygen Publishing Engine
The Complete DITA Publishing Solution for WebHelp and PDF Output
Oxygen PDF Chemistry
Chemistry Converts HTML and XML to PDF Using CSS
Oxygen XML WebHelp
Publish DITA Content to WebHelp Output
Oxygen Styles Basket
Customize the Look and Feel of Your PDF and WebHelp Output
Oxygen XML Web Author
Engage Your Whole Organization In Content Creation
Oxygen Content Fusion
The Web-based Collaboration Platform to Craft Tomorrow's Content
Oxygen Feedback
Modern Commenting Platform
Cloud
Enterprise
Oxygen AI Positron
Enhance Your Productivity with the Power of AI
Oxygen Scripting
Automate and Run Oxygen Utilities from the Command-Line Interface
Oxygen SDK
Specifically designed for application developers and integrators
Shop
Pricing and licensing for businesses, Academic and individuals
To report a technical security vulnerability related to our products, kindly provide the details via email to . Alternatively, you can refer to the following section for comprehensive information: https://www.oxygenxml.com/security/#reporting-a-new-vulnerability
Syncro Soft uses Security Advisories to communicate security information to Syncro Soft customers regarding security vulnerabilities.
This section contains all recent security advisories that were issued by Syncro Soft. To protect the security of our customers, we don't publish a security advisory until the vulnerability has been fully investigated and a patch or update is available that resolves the issue.
These posts by the Syncro Soft security team are also sent to the security announcements email list and reference to them may be included in the release notes. Get notified of Syncro Soft releases and security advisories by registering to security announcements email list below:
Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
The Oxygen products incorporate Spring Framework as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected.
The Oxygen products incorporate pgjdbc as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
The Oxygen products incorporate Apache Tomcat as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.
Oxygen XML Web Author v26.0.0 and older and Oxygen Content Fusion v6.1 and older are vulnerable to Reflected Cross-Site Scripting (XSS) for malicious URLs.
SYNC-2024-020601
Severity: High
CVSS Score: 8.1
Oxygen XML Web Author v26.0.0 and older and Oxygen Content Fusion v6.1 and older are vulnerable to Reflected Cross-Site Scripting (XSS) by crafting a malicious request that injects unauthorized JavaScript code.
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.
The Oxygen products incorporate Tomcat as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.
CVE-2023-46589
CVSS Score: 7.5
The Apache Tomcat third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2023-46589 vulnerability description. However, Oxygen Feedback product's design incorporates security measures that mitigates the exploitation of this vulnerability. For that reason, Oxygen Feedback is not affected by this vulnerability.
Starting with Oxygen XML Web Author v26.0.0.1 build 2024022608 Apache Tomcat library was updated to a version which fixes this vulnerability.
Starting with Oxygen Feedback v4.1 build 2024013118 Apache Tomcat library was updated to a version which fixes this vulnerability.
In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, a malicious user can send a request using a specially crafted URL that can lead to a directory traversal attack. Specifically, an application is vulnerable if Reactor Netty HTTP Server is configured to serve static resources.
The Oxygen products incorporate Reactor Netty HTTP Server as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.
CVE-2023-34062
The Reactor Netty HTTP Server third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2023-34062 vulnerability description. However, Reactor Netty HTTP Server in Oxygen XML products is not configured to serve static resources. For that reason, Oxygen XML products are not affected by this vulnerability.
A serialization vulnerability in logback receiver component part of logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.
The Oxygen products incorporate logback as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.
CVE-2023-6481
The logback third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2023-6481 vulnerability description. However, Oxygen XML products do not use receiver component part of logback. For that reason, Oxygen XML products are not affected by this vulnerability.
In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable if Reactor Netty HTTP Server built-in integration with Micrometer is enabled.
CVE-2023-34054
The Reactor Netty HTTP Server third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2023-34054 vulnerability description. However, Oxygen XML products do not use metrics / Micrometer. For that reason, Oxygen XML products are not affected by this vulnerability.
The RabbitMQ Java client library allows Java and JVM-based applications to connect to and interact with RabbitMQ nodes. `maxBodyLebgth` was not used when receiving Message objects. Attackers could send a very large Message causing a memory overflow and triggering an OOM Error. Users of RabbitMQ may suffer from DoS attacks from RabbitMQ Java client which will ultimately exhaust the memory of the consumer. This vulnerability was patched in version 5.18.0.
The Oxygen products incorporate RabbitMQ Java as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.
CVE-2023-46120
The netty third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2023-46120 vulnerability description. However, Oxygen Content Fusion product's design incorporates security measures that mitigates the exploitation of this vulnerability. For that reason, Oxygen XML products are not affected by this vulnerability.
Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.
The Oxygen products incorporate JSON-Java as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2023-5072
The JSON-Java third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-5072 vulnerability description. Oxygen XML products do not parse JSON user input. For that reason, Oxygen XML products are not affected by this vulnerability.
A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.
The Oxygen products incorporate GNU C as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2023-4911
CVSS Score: 7.8
The GNU C third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-4911 vulnerability description. Oxygen Feedback product's design incorporates security measures that significantly reduce the exploitation risks of this vulnerability. For that reason we rated this vulnerability as low.
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
The Oxygen products incorporate Netty as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.
CVE-2023-44487
Severity: Critical
The netty third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2023-44487 vulnerability description. However, Oxygen Content Fusion uses the Netty library only for internal network. For that reason we rated this vulnerability as low.
Arbitrary File Overwrite in Eclipse JGit <= 6.6.0 In Eclipse JGit, all versions <= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem. This can happen on checkout (DirCacheCheckout), merge (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command. The issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration. Setting git configuration option core.symlinks = false before checking out avoids the problem.
The Oxygen products incorporate JGit as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2023-4759
CVSS Score: 8.8
The JGit third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-4759 vulnerability description. Oxygen Content Fusion runs on a case-sensitive filesystem. For that reason, Oxygen Content Fusion is not affected by this vulnerability.
A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.
CVE-2023-6378
The logback third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2023-6378 vulnerability description. However, Oxygen XML products do not use receiver component part of logback. For that reason, Oxygen XML products are not affected by this vulnerability.
A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack.
The Oxygen products incorporate netty as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2023-4586
CVSS Score: 7.4
The netty third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-4586 vulnerability description. Oxygen Content Fusion uses netty library only to connect internally and doesn't use hostname verification with this library. For that reason, Oxygen XML products are not affected by this vulnerability.
This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.
The Oxygen products incorporate curl, libcurl4 as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.
CVE-2023-38545
CVSS Score: 9.8
The curl, libcurl4 third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2023-38545 vulnerability description. However, Oxygen XML Feedback is a Java based application. For that reason we rated this vulnerability as low.
This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution.
The Oxygen products incorporate chart.js as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2020-7746
The chart.js third-party library used by Oxygen XML products is an affected version mentioned in CVE-2020-7746 vulnerability description. However, since this library doesn't use user controlled options, this vulnerability does not affect Oxygen products.
Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.
The Oxygen products incorporate Apache XML Graphics Batik as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2022-44729
CVSS Score: 7.1
The Apache XML Graphics Batik third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-44729 vulnerability description.
Starting with Oxygen XML Author v25.1 build 2023110913 Apache XML Graphics Batik library was updated to a version which fixes this vulnerability.
Starting with Oxygen XML Developer v25.1 build 2023110913 Apache XML Graphics Batik library was updated to a version which fixes this vulnerability.
Starting with Oxygen XML Editor v25.1 build 2023110913 Apache XML Graphics Batik library was updated to a version which fixes this vulnerability.
Starting with Oxygen XML Author v26.0 build 2023100905 Apache XML Graphics Batik library was updated to a version which fixes this vulnerability.
Starting with Oxygen XML Developer v26.0 build 2023100905 Apache XML Graphics Batik library was updated to a version which fixes this vulnerability.
Starting with Oxygen XML Editor v26.0 build 2023100905 Apache XML Graphics Batik library was updated to a version which fixes this vulnerability.
Starting with Oxygen XML Web Author v26.0 build 2023101015 Apache XML Graphics Batik library was updated to a version which fixes this vulnerability.
Starting with Oxygen Publishing Engine v25.1 build 2023110913 Apache XML Graphics Batik library was updated to a version which fixes this vulnerability.
Starting with Oxygen Publishing Engine v26.0 build 2023100523 Apache XML Graphics Batik library was updated to a version which fixes this vulnerability.
Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests. Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+
The Oxygen products incorporate Apache Shiro as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2023-34478
The Apache Shiro third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-34478 vulnerability description.
Starting with Oxygen XML Web Author 26.0.0 build 2023101015 Apache Shiro library was updated to a version which fixes this vulnerability.
Starting with Oxygen Content Fusion 6.0 build 2023110109 Apache Shiro library was updated to a version which fixes this vulnerability.
A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specially crafted data to the application, for example, a malicious S/MIME attachment.
The Oxygen products incorporate Libksb as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2022-3515
The Libksba third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-3515 vulnerability description. However, since Oxygen products does not use Libksb library at runtime, this vulnerability does not affect Oxygen products and will be removed in future versions.
Starting with Oxygen Content Fusion v6.0 build 2023110109 Libksb library was removed.
Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass.
The Oxygen products incorporate Spring Security as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2023-34034
The Spring Security third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-34034 vulnerability description. However, since Oxygen products does not use WebFlux controllers, this vulnerability does not affect Oxygen products.
Starting with Oxygen Feedback v3.0.3 build 2023083012 Spring Security library was updated to a version which fixes this vulnerability.
Starting with Oxygen Content Fusion v6.0 build 2023110109 Spring Security library was updated to a version which fixes this vulnerability.
Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.
The Oxygen products incorporate Thymeleaf as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2023-38286
The Thymeleaf third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-38286 vulnerability description. However, since Oxygen products does not use Spring Boot Admin Server, this vulnerability does not affect Oxygen products.
Starting with Oxygen XML Web Author v26.0.0 build 2023101015 Thymeleaf library was updated to a version which fixes this vulnerability.
Multiple CRLF injection vulnerabilities in AIST NetCat 3.12 and earlier allow remote attackers to have an unknown impact via unspecified vectors involving (1) a %0a sequence in a cookie and (2) the add.php file.
The Oxygen products incorporate AIST NetCat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2008-5730
The AIST NetCat third-party library used by Oxygen XML products is an affected version mentioned in CVE-2008-5730 vulnerability description. However, Oxygen XML Author, Oxygen XML Developer and Oxygen XML Editor are desktop applications, not server applications. Therefor, we are not affected by this vulnerability.
GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.
The Oxygen products incorporate Okio as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2023-3635
The Okio third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-3635 vulnerability description. However, since user cannot control the GZIP archive, this vulnerability does not affect Oxygen XML products.
In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.
The Oxygen products incorporate Spring Boot as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2023-20883
The Spring Boot third-party library used by Oxygen Content Fusion is an affected version mentioned in CVE-2023-20883 vulnerability description. However, since the server is not accessible through a proxy server, this vulnerability does not affect Oxygen Content Fusion.
Starting with Oxygen Content Fusion v5.1.1 build 2023072112 Spring Boot library was updated to a version that fixes this vulnerability.
The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.
The Oxygen products incorporate Apache Tomcat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2023-28709
The Apache Tomcat third-party library used by Oxygen XML Web Author is an affected version mentioned in CVE-2023-28709 vulnerability description. However, since default HTTP connector settings are used, this vulnerability does not affect Oxygen XML Web Author.
A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
The Oxygen products incorporate hutool-json as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2022-45688
The hutool-json third-party library used by Oxygen Content Fusion is an affected version mentioned in CVE-2022-45688 vulnerability description. Starting with Oxygen Content Fusion 5.1.1 build 2023072112 the affected library was updated to version that fixes this vulnerability.
Since Oxygen Publishing Engine doesn't use XML.toJSONObject, this vulnerability does not affect Oxygen Publishing Engine. However, Oxygen Publishing Engine starting with v25.1 build 2023031411 the affected library was updated to a version that fixes this vulnerability.
Starting with Oxygen License Server v25.1 build 2023031316 the affected library was updated to a version that fixes this vulnerability
Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
The Oxygen products incorporate Google Guava as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2023-2976
The Google Guava third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-2976 vulnerability description. However, since Oxygen XML products do not employ the FileBackedOutputStream class, we classify this vulnerability as low.
Starting with Oxygen XML v25.1 build 2023070306 Google Guava library was updated to v2.29 which fixes this vulnerability.
An issue was discovered jtidy thru r938 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.
The Oxygen products incorporate jtidy as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2023-34623
The jtidy third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-34623 vulnerability description.
Starting with Oxygen XML v25.1 build 2023070306 jtidy library was updated to a version which fixes this vulnerability.
An issue was discovered htmlcleaner thru = 2.28 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.
The Oxygen products incorporate htmlcleaner as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2023-34624
The htmlcleaner third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-34624 vulnerability description.
Starting with Oxygen XML v25.1 build 2023070306 htmlcleaner library was updated to v2.29 which fixes this vulnerability.
Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.
The Oxygen products incorporate Spring Framework as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2023-20860
The Spring Framework third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-20860 vulnerability description. However, the Oxygen products do not use mvcMatchers. For that reason, the Oxygen XML products are not affected by this vulnerability.
In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.
CVE-2023-20862
The Spring Security third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-20862 vulnerability description. However, the Oxygen products do not use the vulnerable code. For that reason, Oxygen XML products are not affected.
In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.6+. 2.7.x users should upgrade to 2.7.11+. Users of older, unsupported versions should upgrade to 3.0.6+ or 2.7.11+.
CVE-2023-20873
The Spring Boot third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-20873 vulnerability description. However, the Oxygen products are not deployed to to Cloud Foundry. For that reason, Oxygen XML products are not affected by this vulnerability.
A directory traversal vulnerability in Oxygen XML Web Author before 25.0.0.3 build 2023021715 and Oxygen Content Fusion before 5.0.3 build 2023022015 allows an attacker to read files from a WEB-INF directory via a crafted HTTP request. (XML Web Author 24.1.0.3 build 2023021714 and 23.1.1.4 build 2023021715 are also fixed versions.)
SYNC-2023-042301
Severity: Medium
CVSS Score: 5.3
Using special requests, a remote attacker may read files from WEB-INF directory of Oxygen XML Web Author application. However, by default, this directory does not contain sensitive information so the severity of this issue should be seen as low.
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.
The Oxygen products incorporate Apache Commons FileUpload as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2023-24998
The Apache Commons FileUpload third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-24998 vulnerability description.
Starting with Oxygen XML Web Author v25.1 build 2023031320 Apache Tomcat library was updated to v9.0.73 which fixes this vulnerability.
Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
The Oxygen products incorporate Woodstox as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2022-40152
The Woodstox third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-40152 vulnerability description. However, the Oxygen products does not enable DTD support. For that reason, Oxygen XML products are not affected by this vulnerability.
Starting with Oxygen XML Web Author v25.1.0 build 2023031320 Woodstox library was updated to a newer version which fixes this vulnerability.
There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.
The Oxygen products incorporate OpenSSL as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2023-0286
The OpenSSL third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-0286 vulnerability description. However, the Oxygen products does not enable CRL checking. For that reason, Oxygen XML products are not affected by this vulnerability.
Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.
The Oxygen products incorporate cookiejar as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2022-25901
The cookiejar third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-25901 vulnerability description. However, the Oxygen products does not use the Cookie.parse function. For that reason, we have rated the severity level for our products as low.
Starting with Oxygen Feedback v3.0 build 2023031610 cookiejar library was updated to v2.1.4 which fixes this vulnerability.
An issue in the fetch() method in the BasicProfile class of org.ini4j before v0.5.4 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.
The Oxygen products incorporate org.ini4j as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2022-41404
The org.ini4j third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-41404 vulnerability description. However, the Oxygen products does not call the affected method. For that reason, Oxygen XML products are not affected by this vulnerability.
Starting with Oxygen XML Web Author v25.1.0 build 2023031320 org.ini4j library was removed.
In versions `<=8.5.1` of jsonwebtoken library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the `jwt.verify()` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.
The Oxygen products incorporate jsonwebtoken as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2022-23540
CVSS Score: 7.6
The jsonwebtoken third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-23540 vulnerability description.
Starting with Oxygen Content Fusion v5.0.3 build 2023022015 the jsonwebtoken library was updated to v9.0.0 which fixes this vulnerability.
When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching.
CVE-2023-22602
The Apache Shiro third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-22602 vulnerability description. However, the Oxygen products does not use Apache Shiro with Spring Boot. For that reason, our products are not affected by this vulnerability.
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.
CVE-2022-45143
The Apache Tomcat third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-45143 vulnerability description. However, the Oxygen products does not call the affected code. For that reason, Oxygen XML products are not affected.
Luxon is a library for working with dates and times in JavaScript. On the 1.x branch prior to 1.38.1, the 2.x branch prior to 2.5.2, and the 3.x branch on 3.2.1, Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks. This issue also appears in Moment as CVE-2022-31129. Versions 1.38.1, 2.5.2, and 3.2.1 contain patches for this issue. As a workaround, limit the length of the input.
The Oxygen products incorporate Luxon as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2023-22467
The Luxon third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-22467 vulnerability description. However, the Oxygen products does not permit users input. For that reason, Oxygen XML products are not affected.
The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments.
The Oxygen products incorporate H2 Database as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2022-45868
The H2 Database third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-45868 vulnerability description. However, the Oxygen products does not start the library with -webAdminPassword argument. For that reason, Oxygen XML products are not affected by this vulnerability
In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution.
The Oxygen products incorporate Apache SOAP as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2022-45378
The Apache SOAP third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-45378 vulnerability description. However, the Oxygen products doesn't use RPCRouterServlet. For that reason, our products are not affected by this vulnerability.
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
The Oxygen products incorporate qs as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2022-24999
The qs third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-24999 vulnerability description.
Starting with Oxygen Content Fusion v5.0.2 build 2022121305 qs library was updated to v6.11.0 which fixes this vulnerability.
Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.
The Oxygen products incorporate Netty as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2022-41881
The Netty third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-41881 vulnerability description.
Starting with Oxygen XML Author v25.0 build 2023013006 Netty library was updated to v4.1.86.Final which fixes this vulnerability.
Starting with Oxygen XML Developer v25.0 build 2023013006 Netty library was updated to v4.1.86.Final which fixes this vulnerability.
Starting with Oxygen XML Editor v25.0 build 2023013006 Netty library was updated to v4.1.86.Final which fixes this vulnerability.
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
The Oxygen products incorporate SnakeYAML as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2022-25857
The SnakeYAML third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-25857 vulnerability description.
In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
The Oxygen products incorporate FasterXML jackson-databind as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2022-42003
The FasterXML jackson-databind third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-42003 vulnerability description. However, the Oxygen products does not enable the feature UNWRAP_SINGLE_VALUE_ARRAYS. For that reason, Oxygen XML products are not affected by this vulnerability.
Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.
The Oxygen products incorporate Socket.io as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2022-2421
The Socket.io third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-2421 vulnerability description.
Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.
The Oxygen products incorporate Engine.IO as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2022-41940
The Engine.IO third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-41940 vulnerability description.
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.
The Oxygen products incorporate SnakeYaml as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2022-1471
The SnakeYaml third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-1471 vulnerability description. However, the Oxygen products does not use the Constructor() as described. For that reason, Oxygen XML products are not affected by this vulnerability.
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
CVE-2022-42004
The FasterXML jackson-databind third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-42004 vulnerability description. However, the Oxygen products does not enable the feature UNWRAP_SINGLE_VALUE_ARRAYS. For that reason, Oxygen XML products are not affected by this vulnerability.
Starting with Oxygen Content Fusion v5.0.2 build 2022121305 FasterXML jackson-databind library was updated to v2.13.4.2 which fixes this vulnerability.
Starting with Oxygen Feedback v2.1.4 build 2022111716 FasterXML jackson-databind library was updated to v2.13.4.2 which fixes this vulnerability.
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.
The Oxygen products incorporate Batik as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2022-40146
The Batik third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-40146 vulnerability description. However, the Oxygen products have security mechanism that blocks connections to untrusted hosts. For that reason, we have rated the severity level for our products as low.
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.
The Oxygen products incorporate protobuf as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2022-3171
The protobuf third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-3171 vulnerability description. However, the Oxygen products does not read arbitrary data in protobuf format. For that reason, Oxygen XML products are not affected by this vulnerability.
Starting with Oxygen XML Web Author v25.0.0.1 build 2022111708 protobuf library was updated to a newer version which fixes this vulnerability.
The Shiro package is vulnerable to Improper Authentication. The doFilter() function in the OncePerRequestFilter class executes the filter once per request, even when forwarding or including via javax.servlet.RequestDispatcher. A remote attacker can send a specially crafted HTTP request to bypass security restrictions and gain unauthorized access to the application.
The Oxygen products incorporate Shiro as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2022-40664
The Shiro third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-40664 vulnerability description. However, the Oxygen products doesn't call the vulnerable code. For that reason, Oxygen XML products are not affected by this vulnerability.
Starting with Oxygen XML Web Author v25.0.0.1 build 2022111708 Shiro library was updated to a newer version that fixes this vulnerability.
If Apache Tomcat 8.5.0 to 8.5.52, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.
CVE-2022-42252
The Apache Tomcat third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-42252 vulnerability description. However, the Oxygen products doesn't set rejectIllegalHeader to false. For that reason Oxygen XML products are not affected by this vulnerability.
Starting with Oxygen Feedback v2.1.4 build 2022111716 Apache Tomcat library was updated to v9.0.68 which fixes this vulnerability.
Starting with Oxygen XML Web Author v25.0.0.2 build 2023020615 Apache Tomcat library was updated to v9.0.69 which fixes this vulnerability.
Spring Security, versions 5.7 prior to 5.7.5, and 5.6 prior to 5.6.9, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can modify a request initiated by the Client (via the browser) to the Authorization Server which can lead to a privilege escalation on the subsequent approval. This scenario can happen if the Authorization Server responds with an OAuth2 Access Token Response containing an empty scope list (per RFC 6749, Section 5.1) on the subsequent request to the token endpoint to obtain the access token.
CVE-2022-31690
The Spring Security third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-31690 vulnerability description. However, the Access Token returned by Oxygen Feedback does not contain an empty scope list. For that reason, Oxygen XML products are not affected by this vulnerability
Starting with Oxygen Feedback v2.1.4 build 2022111716 Spring Security library was updated to v5.7.5 which fixes this vulnerability.
Starting with Oxygen Content Fusion v5.0.2 build 2022121305 Spring Security library was updated to v5.7.5 which fixes this vulnerability.
Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types. Specifically, an application is vulnerable when all of the following are true: The application expects that Spring Security applies security to forward and include dispatcher types. The application uses the AuthorizationFilter either manually or via the authorizeHttpRequests() method. The application configures the FilterChainProxy to apply to forward and/or include requests (e.g. spring.security.filter.dispatcher-types = request, error, async, forward, include). The application may forward or include the request to a higher privilege-secured endpoint.The application configures Spring Security to apply to every dispatcher type via authorizeHttpRequests().shouldFilterAllDispatcherTypes(true)
CVE-2022-31692
The Spring Security third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-31692 vulnerability description. However, the Oxygen products are not configured as described in the vulnerability description. For that reason, Oxygen XML products are not affected by this vulnerability
The loader-utils package is vulnerable to Prototype Pollution. The parseQuery() function in the parseQuery.js file allows for modification of object prototypes via the name variable. A remote attacker can exploit this vulnerability to override the behavior of object prototypes, which may result in a Denial of Service (DoS) condition, Remote Code Execution (RCE), or other unexpected behavior.
The Oxygen products incorporate loader-utils as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2022-37601
The loader-utils third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-37601 vulnerability description. However, Oxygen XML products does not use server-side JavaScript to handle JSON content received as payload on REST requests. For that reason, Oxygen XML products are not affected by this vulnerability.
Starting with Oxygen Feedback v2.1.4 build 2022111716 loader-utils library was updated to fix this vulnerability.
A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
CVE-2022-41704
The Batik third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-41704 vulnerability description.
Starting with Oxygen XML Author v24.1 build 2022110312 Batik library was updated to v1.16 which fixes this vulnerability.
Starting with Oxygen XML Developer v24.1 build 2022110312 Batik library was updated to v1.16 which fixes this vulnerability.
Starting with Oxygen XML Editor v24.1 build 2022110312 Batik library was updated to v1.16 which fixes this vulnerability.
Starting with Oxygen XML Author v25.0 build 2022110706 Batik library was updated to v1.16 which fixes this vulnerability.
Starting with Oxygen XML Developer v25.0 build 2022110706 Batik library was updated to v1.16 which fixes this vulnerability.
Starting with Oxygen XML Editor v25.0 build 2022110706 Batik library was updated to v1.16 which fixes this vulnerability.
Starting with Oxygen XML Web Author v24.1.0.2 build 2022110410 Batik library was updated to v1.16 which fixes this vulnerability.
Starting with Oxygen XML Web Author v25.0.0.1 build 2022111708 batik-bridge library was removed, which fixes this vulnerability.
A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.
CVE-2022-42890
The Batik third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-42890 vulnerability description.
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
The Oxygen products incorporate Apache Xerces Java (XercesJ) as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2022-23437
CVSS Score: 6.5
The Apache Xerces Java (XercesJ) third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-23437 vulnerability description.
Starting with Oxygen XML Author v24.1 build 2022030807 Apache Xerces Java (XercesJ) library was updated to v2.12.2 which fixes this vulnerability.
Starting with Oxygen XML Developer v24.1 build 2022030807 Apache Xerces Java (XercesJ) library was updated to v2.12.2 which fixes this vulnerability.
Starting with Oxygen XML Editor v24.1 build 2022030807 Apache Xerces Java (XercesJ) library was updated to v2.12.2 which fixes this vulnerability.
An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP. This issue affects Apache SOAP version 2.2 and later versions.
CVE-2022-40705
The Apache SOAP third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-40705 vulnerability description. However, Oxygen products does not use RPCRouterServlet class. For that reason, our products are not affected by this vulnerability.
Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
The Apache Shiro third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-32532 vulnerability description. However, Oxygen XML products does not use RegExPatternMatcher. For that reason, we are rated the severity level for our products as Low.
Starting with Oxygen Content Fusion v5.0.1 build 2022092005 Apache Shiro was updated to version 1.9.1, which includes a fix for CVE-2022-325332.
Starting with Oxygen XML Web Author v25.0.0.1 build 2022070522 Apache Shiro was updated to version 1.9.1, which includes a fix for CVE-2022-325332.
This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vulnerability of the regex is mainly due to the sub-pattern (s|/*.*?*/)*
The Oxygen products incorporate codemirror as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2020-7760
The codemirror third-party library used by Oxygen XML products is an affected version mentioned in CVE-2020-7760 vulnerability description. However, Oxygen products does not load the vulnerable file (javascript.js). For that reason, we have rated the severity level for our products as Low.
Starting with Oxygen XML Web Author v25.0 codemirror library was updated to v5.65.8 which fixes this vulnerability.
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected.
The Oxygen products incorporate Apache Xalan Java as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2022-34169
The Apache Xalan Java third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-34169 vulnerability description. However, Oxygen XML products does not use Apache Xalan Java to generate Java classes from XSLT. For that reason, our products are not affected by this vulnerability.
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.
CVE-2022-29885
The Apache Tomcat third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-29885 vulnerability description.
Starting with Oxygen Content Fusion v5.0 Apache Tomcat library was updated to a non-vulnerable version.
The nekohtml package is vulnerable to Denial of Service due to Uncontrolled Resource Consumption. The scanPI() function in the HTMLScanner class mishandles the parsing of a processing instruction while scanning a document. An attacker can leverage this behavior using a specially-crafted HTML composition, which has a ? or / character at the end of the processed instruction, to cause an infinite loop that appends a byte in a buffer in every cycle, causing a java.lang.OutOfMemoryError exception.
The Oxygen products incorporate nekohtml as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2022-24839
The nekohtml third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-24839 vulnerability description.
Starting with Oxygen XML Web Author v24.1 build 2022070522 nekohtml library was updated to a non-vulnerable version.
Starting with Oxygen XML Author v24.1 build 2022062007 nekohtml library was updated to a non-vulnerable version.
Starting with Oxygen XML Developer v24.1 build 2022062007 nekohtml library was updated to a non-vulnerable version.
Starting with Oxygen XML Editor v24.1 build 2022062007 nekohtml library was updated to a non-vulnerable version.
Starting with Oxygen PDF Chemistry v24.1 build 2022062023 nekohtml library was removed.
Starting with Oxygen Content Fusion v5.0 build 2022092005 nekohtml library was updated to a non-vulnerable version.
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
The Oxygen products incorporate Async as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2021-43138
The Async third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-43138 vulnerability description.
Starting with Oxygen Content Fusion v5.0 Async library was updated to v3.2.2 which fixes this vulnerability.
Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
The Oxygen products incorporate Moment.js as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2022-24785
The Moment.js third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-24785 vulnerability description. However, Oxygen products does not set any locale/lang for Moment.js library. For that reason, we have rated the severity level for our products as low.
Starting with Oxygen Content Fusion v5.0 Moment.js library was updated to v3.2.2 which fixes this vulnerability.
The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.
CVE-2017-18214
The Moment.js third-party library used by Oxygen XML products is an affected version mentioned in CVE-2017-18214 vulnerability description. However, Oxygen products does not set any user provided date string. For that reason, our products are not affected by this vulnerability.
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
CVE-2018-11040
The Spring Framework third-party library used by Oxygen XML products is an affected version mentioned in CVE-2018-11040 vulnerability description. However, Oxygen Feedback does not use MappingJackson2JsonView nor enable JSONP support through AbstractJsonpResponseBodyAdvice. For that reason, we have rated the severity level for our products as low.
Starting with Oxygen Feedback v2.1 build 2022071516 Spring Framework library was updated to a non-vulnerable version.
The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.
CVE-2022-23181
CVSS Score: 7.0
The Apache Tomcat third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-23181 vulnerability description. However, the Oxygen products are not configured to persist sessions using the FileStore. For that reason, we have rated the severity level for our products as low.
Starting with Oxygen Feedback v2.1 Apache Tomcat library was updated to v9.0.58 which fixes this vulnerability.
Starting with Oxygen XML Web Author v24.1.0 Apache Tomcat library was updated to v9.0.59 which fixes this vulnerability.
In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
CVE-2022-22978
The Spring Security third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-22978 vulnerability description. However, Oxygen XML products do not invoke the RegexRequestMatcher method. For that reason, we have rated the severity level for our products as low.
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes `runc exec --cap` behavior such that the additional capabilities granted to the process being executed (as specified via `--cap` arguments) do not include inheritable capabilities. In addition, `runc spec` is changed to not set any inheritable capabilities in the created example OCI spec (`config.json`) file.
CVE-2022-29162
The runc third-party library used by Oxygen Content Fusion product is an affected version mentioned in CVE-2022-29162 vulnerability description.
Starting with Oxygen Content Fusion v5.0 build 2022092005 runc has been removed to fix this vulnerability.
CVE-2021-42550.xml
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
CVE-2021-42550
Severity: Low
CVSS Score: 6.6
The Apache Log4j2 third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-42550 vulnerability description. However, the vulnerability can be only eploited by modifying the logging configuration by a trusted party. For that reason, we are rated the severity level for our products as low.
PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on the ResultSet.
CVE-2022-31197
CVSS Score: 8.0
The PostgreSQL JDBC Driver third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-31197 vulnerability description. However, Oxygen XML products do not invoke the `ResultSet.refreshRow()` method. For that reason, we have rated the severity level for our products as low.
Starting with Oxygen Feedback version 2.1.3 build 2022091217, the PostgreSQL JDBC Driver was updated to version 42.4.1, which includes a fix for CVE-2022-31197.
Starting with Oxygen Content Fusion 5.0.1 build 2022092005, the PostgreSQL JDBC Driver was updated to version 42.4.1, which includes a fix for CVE-2022-31197.
A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed.
The Oxygen products incorporate resteasy as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2020-1695
The resteasy third-party library used by Oxygen XML products is an affected version mentioned in CVE-2020-1695 vulnerability description.
Starting with Oxygen Web Author v24.1 build 2022070522 resteasy library was updated to version v4.6.0.Final which fixes this vulnerability.
Starting with Oxygen Content Fusion v5.0 build 2022092005 reasteasy library was updated to version v4.7.6 which fixes this vulnerability.
In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties.
The Oxygen Content Fusion incorporates postgresql as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2022-26520
The postgresql third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-26520 vulnerability description. However, the Oxygen products are not configured to allow untrusted users to supply JDBC URLs or their properties. For that reason, we have rated the severity level for our products as low.
Starting with Oxygen Content Fusion v5.0 postgresql library was updated to v42.3.4 which fixes this vulnerability.
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
The jackson-databind package is vulnerable to a Denial of Service (DoS) attack. The deserialize() method in the UntypedObjectDeserializer and UntypedObjectDeserializer$Vanilla classes fails to restrict recursion when deserializing nested untyped or generic objects. A remote attacker who can supply data to be deserialized by an affected application can exploit this vulnerability to cause the JVM to consume all available memory, resulting in a StackOverflow exception and ultimately a DoS condition.
The Oxygen products incorporate jackson-databind as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2020-36518
The jackson-databind third-party library used by Oxygen XML products is an affected version mentioned in CVE-2020-36518 vulnerability description.
Starting with Oxygen Web Author v24.1.1 jackson-databind library was updated to a non-vulnerable version.
Starting with Oxygen Content Fusion v4.1 build 2022040914 jackson-databind library was updated to a non-vulnerable version.
Vulnerabilities in Ubuntu server 20.04 used by Oxygen Content Fusion.
Syncro Soft engineers have addressed the following CVEs.
Description: An out of bounds access was discovered in nf_tables expression evaluation due to validation of user register indices. It leads to local privilege escalation, for example by overwriting a stack return address OOB with a crafted nft_expr_payload.
Description: A flaw was found in the KVM’s AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the “int_ctl” field, this issue could allow a malicious L1 to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to 5.14-rc7.
Description: A flaw was found in the KVM’s AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the “virt_ext” field, this issue could allow a malicious L1 to disable both VMLOAD/VMSAVE intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape.
CVSS Score: 8.4
Description: A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system.
Description: Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (kernel memory exhaustion) or gain privileges via executing arbitrary code. AKA ZDI-CAN-13562.
Description: The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could use this to gain elevated privileges.
Description: A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space.
Description: An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message.
Description: BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c.
Description: fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05.
Description: The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution.
Description: A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.
Description: net/netfilter/nf_dup_netdev.c in the Linux kernel 5.4 through 5.6.10 allows local users to gain privileges because of a heap out-of-bounds write. This is related to nf_tables_offload.
Description: A use-after-free exists in the Linux Kernel in tc_new_tfilter that could allow a local attacker to gain privilege escalation. The exploit requires unprivileged user namespaces.
Description: It was discovered that the eBPF implementation in the Linux kernel did not properly track bounds information for 32 bit registers when performing div and mod operations. A local attacker could use this to possibly execute arbitrary code.
Description: A flaw was found in the CAN BCM networking protocol in the Linux kernel, where a local attacker can abuse a flaw in the CAN subsystem to corrupt memory, crash the system or escalate privileges. This race condition in net/can/bcm.c in the Linux kernel allows for local privilege escalation to root.
Starting with Oxygen Content Fusion version 4.1.6 build number 2022040914, the affected packages were updated and all vulnerabilities were fixed.
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
The Oxygen products incorporate Minimist as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2021-44906
The Minimist third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-44906 vulnerability description. However, the Oxygen Feedback product does not pass data from untrusted sources to this library. For that reason, we have rated the severity level for our products as low.
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
The Oxygen products incorporate Spring MVC as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2022-22965
The Spring MVC third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-22965 vulnerability description. However, the Oxygen Feedback product is not available as a WAR file. For that reason, our products are not affected by this vulnerability.
The jackson-databind package is vulnerable to a Denial of Service (DoS) attack. The readExternal() method in the NodeSerialization class fails to restrict allocation when JsonNode objects are serialized/deserialized by the JDK.
The Oxygen XML products incorporate jackson-databind as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
SYNC-2022-1003
The jackson-databind third-party library used by Oxygen XML products is an affected version mentioned in SYNC-2022-1003 vulnerability description. However, this library is not used to serialize/deserialize JsonNode objects from untrusted sources. For that reason, we have rated the severity level for our products as low.
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
The Oxygen License Server product incorporates Eclipse Jetty as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2021-28165
The Eclipse Jetty package used by Oxygen License Server product is an affected version mentioned in CVE-2021-28165 vulnerability description.
Starting with Oxygen License Server version 24.1, the Eclipse Jetty was updated to version 9.4.45.v20220203, which includes a fix for CVE-2021-41303.
pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties.
The Oxygen Content Fusion product incorporates shelljs as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2022-21724
The postgresql package used by Oxygen Content Fusion product is an affected version mentioned in CVE-2022-21724 vulnerability description. However, the configuration files cannot be changed by untrusted users. For that reason, we have rated the severity level for our products as low.
The shelljs package is vulnerable due to Improper Privilege Management. The execSync() function in the exec.js file does not properly ensure if a user is authorized to read and write to the paramFiles, stdoutFile and stderrFile before allowing the user to access them. A local attacker with low privileges can exploit this behavior to obtain sensitive information from the aforementioned files. The attacker can also create a stdoutFile or stderrFile first, which will crash the exec process when it tries to write to these files, resulting in a Denial of Service (DoS) condition.
CVE-2022-0144
The shelljs third-party library used by Oxygen Content Fusion product is an affected version mentioned in CVE-2022-0144 vulnerability description. However, the shelljs library is used only for backup restore and it is executed into an isolated container that is not available to untrusted users. For that reason, we have rated the severity level for our products as low.
The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.
The Oxygen XML products incorporate H2 database as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2021-42392
The H2 database third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-42392 vulnerability description. However, the H2 console is not available for untrusted users. For that reason, we have rated the severity level for our products as low.
The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.
The Oxygen License Server product incorporates com.h2database:h2 as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2021-23463
CVSS Score: 9.1
The com.h2database:h2 third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-23463 vulnerability description. However, this library is not used to parse XML data from untrusted sources. For that reason, we have rated the severity level for our products as low.
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
CVE-2018-7489
The FarsterXML jackson-databind third-party library used by Oxygen XML products is an affected version mentioned in CVE-2018-7489 vulnerability description. However, c3p0 libraries are not available in the Oxygen XML products classpath. For that reason, we have rated the severity level for our products as low.
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.
The Oxygen products incorporate Jackson as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2019-10172
The Jackson third-party library used by Oxygen XML products is an affected version mentioned in CVE-2019-10172 vulnerability description.
Starting with Oxygen XML Web Author v23.1 Jackson library was updated to v2.11.0 which fixes this vulnerability.
Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. Users should upgrade to 2.6 or later.
The Oxygen PDF Chemistry product incorporates the Apache XmlGraphics Commons 2.4 as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2020-11988
CVSS Score: 8.2
The Apache XmlGraphics Commons third-party library used by Oxygen PDF Chemistry product is an affected version mentioned in CVE-2020-11988 vulnerability description.
Starting with Oxygen PDF Chemistry v22.1 build 2021121712, the Apache XmlGraphics Commons library was updated to version 2.6 which fixes this vulnerability.
Redis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. This can result with heap corruption and potentially remote code execution. This problem exists in all versions of Redis with Lua scripting support, starting from 2.6. The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14. For users unable to update an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
The Oxygen XML products incorporate Redis as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2021-32626
The Redis third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-32626 vulnerability description. However, execution of Lua scripts is disabled in our products. For that reason, we have rated the severity level for our products as low.
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
The Oxygen XML products incorporate the Apache Log4j2 as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2021-44832
The Apache Log4j2 third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-44832 vulnerability description. However, our default configuration does not use JDBC Appender with a data source referencing a JNDI URI and can be only exploited by modifying the logging configuration by a trusted party. For that reason, we have rated the severity level for our products as low.
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
CVE-2021-4104
The Apache Log4j third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-4104 vulnerability description. However, our default configuration does not use JSM Appender and the vulnerability can be only exploited by modifying the logging configuration by a trusted party. For that reason, we have rated the severity level for our products as low.
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.
CVE-2021-45105
The Apache Log4j2 third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-45105 vulnerability description. However, our default configuration does not change the Pattern Layout and the vulnerability can be only exploited by modifying the logging configuration by a trusted party. For that reason, we have rated the severity level for our products as low.
Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
The Oxygen PDF Chemistry product incorporates the Apache Batik 1.13 as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2020-11987
The Apache Batik third-party library used by Oxygen PDF Chemistry product is an affected version mentioned in CVE-2020-11987 vulnerability description. However, NodePickerPanel class is not used in Oxygen PDF Chemistry. Therefore Oxygen PDF Chemistry product is not affected by CVE-2020-11987.
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability.
log4j2.noFormatMsgLookup
CVE-2021-45046
CVSS Score: 9.0
The Apache Log4j2 third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-45046 vulnerability description. However, our default configuration doe not change the Pattern Layout and the vulnerability can be only exploited by modifying the logging configuration by a trusted party. For that reason, we have rated the severity level for our products as low.
Apache Log4j2 <= 2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.
See also https://www.oxygenxml.com/oxygen_xml_vulnerability_analysis_faq.html for more information.
CVE-2021-44228
CVSS Score: 10
The Apache Log4j2 third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-44228 vulnerability description. However, we patched our public services against this vulnerability.
The logback-core package is vulnerable to XML eXternal Entity (XXE) attacks. An attacker can exploit this vulnerability by supplying XML data with a Document Type Definition (DTD) that contains malicious external entity references.
The Oxygen Feedback product incorporates the logback-core as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
SYNC-2021-2610
CVSS Score: 8.6
The logback-core third-party library used by Oxygen Feedback product is an affected version mentioned in SYNC-2021-2610 vulnerability description. However, Oxygen Feedback does not accept XML data as user input. Therefore Oxygen Feedback product is not impacted by SYNC-2021-2610.
Starting with Oxygen Feedback version 1.4.4, the logback-core was updated to version 1.2.6, which includes a fix for SYNC-2021-2610.
jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack.
The Oxygen Feedback product incorporates the jsoup as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2021-37714
The jsoup third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2021-37714 vulnerability description.
Starting with Oxygen Feedback version 1.4.4, the jsoup was updated to version 1.14.2, which includes a fix for CVE-2021-37714.
In the thymeleaf-spring5:3.0.12 component, thymeleaf combined with specific scenarios in template injection may lead to remote code execution.
The Oxygen XML products incorporate the thymeleaf-spring as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2021-43466
The thymeleaf-spring third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2021-43466 vulnerability description. However, the Oxygen XML software products doesn't render templetes supplied by users. Therefore Oxygen XML software products are not impacted by CVE-2021-43466.
Starting with Oxygen Feedback version 1.4.4, the thymeleaf-spring package was updated to version 3.0.13, which includes a fix for this vulnerability.
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
The Oxygen XML products incorporates the Netty as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2021-37137
The Netty third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2021-37137 vulnerability description. However, the Oxygen XML software products doesn't use Netty to decompress user-supplied Snappy data streams. Therefore Oxygen XML software products are not impacted by CVE-2021-37137.
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack.
CVE-2021-37136
The Netty third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2021-37136 vulnerability description. However, the Oxygen XML software products doesn't use Netty to decompress user-supplied Bzip2 data streams. Therefore Oxygen XML software products are not impacted by CVE-2021-37136.
A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
The Oxygen XML products incorporate the hibernate-core as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2020-25638
The hibernate-core third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2020-25638 vulnerability description. However, the Oxygen XML software products doesn't set hibernate.use_sql_comments to true. Therefore Oxygen XML software products are not impacted by CVE-2020-25638.
Starting with Oxygen Content Fusion version 4.1, the hibernate-core package was updated to version 5.4.24, which includes a fix for this vulnerability.
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
The Oxygen XML products incorporates the Apache Shiro as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2020-17523
The Apache Shiro third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2020-17523 vulnerability description. However, Spring is not included in Oxygen XML software products. Therefore Oxygen XML software products are not impacted by CVE-2020-17523.
Starting with Oxygen Content Fusion version 4.1, the Apache Shiro was updated to version 1.8, which includes a fix for CVE-2020-17523.
If a user of Apache Commons Email (typically an application programmer) passes unvalidated input as the so-called "Bounce Address", and that input contains line-breaks, then the email details (recipients, contents, etc.) might be manipulated.
The Oxygen XML products incorporates the Apache Commons Email as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2018-1294
Severity: high
The Apache Commons Email third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2018-1294 vulnerability description. However, the Oxygen XML software products validate input before being passed to Email.setBounceAddress(String). Therefore Oxygen XML software products are not impacted by CVE-2018-1294.
Starting with Oxygen Content Fusion version 4.1, the Apache Commons Email was updated to version 1.5, which includes a fix for CVE-2018-1294.
When a call-site passes a subject for an email that contains line-breaks in Apache Commons Email 1.0 through 1.4, the caller can add arbitrary SMTP headers.
CVE-2017-9801
The Apache Commons Email third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2017-9801 vulnerability description.
Starting with Oxygen Content Fusion version 4.1, the Apache Commons Email was updated to version 1.5, which includes a fix for CVE-2017-9801.
SnakeYAML is vulnerable to a denial of service, caused by an entity expansion in Alias feature during a load operation.
The Oxygen XML products incorporates the SnakeYAML as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2017-18640
The SnakeYAML third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2017-18640 vulnerability description. However, the Oxygen XML software products use SnakeYAML only to generate YAML files, not to parse YAML files. Therefore Oxygen XML software products are not impacted by CVE-2017-18640.
Starting with Oxygen Content Fusion version 4.1, the SnakeYAML library was removed.
The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.
The Oxygen Feedback product incorporates the Apache Tomcat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2021-42340
The Apache Tomcat 9.0.52 third-party library used by Oxygen Feedback products is an affected version mentioned in CVE-2021-42340 vulnerability description.
Starting with Oxygen Feedback version 1.4.4, the Apache Tomcat was updated to version 9.0.54, which includes a fix for CVE-2021-42340.
Starting with Oxygen XML Web Author version 23.1 build 2021112409, the Apache Tomcat was updated to version 9.0.55, which includes a fix for CVE-2021-42340.
All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the secureValidation property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.
The Apache Santuario - XML Security package is vulnerable to Information Exposure. A remote attacker can exploit this behavior to extract any local .xml files during an XPath transform using the RetrievalMethod element. This would result in the attacker gaining access to otherwise restricted information on an application using this package to implement XML security standards.
The Oxygen XML products incorporates the Apache Santuario - XML Security as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2021-40690
The Apache Santuario - XML Security third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2021-40690 vulnerability description.
Starting with Oxygen XML version 24.0, the Apache Santuario - XML Security was updated to version 2.1.7, which includes a fix for CVE-2021-40690.
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass.
The Oxygen XML Web Author products incorporates the Apache Shiro as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2021-41303
The Apache Shiro third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2021-41303 vulnerability description. However, Spring Boot is not included in Oxygen XML software products. Therefore Oxygen XML software products are not impacted by CVE-2021-41303.
Starting with Oxygen XML Web Author version 24.0, the Apache Shiro was updated to version 1.8.0, which includes a fix for CVE-2021-41303.
Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.
The Apache tomcat-coyote package is vulnerable to a Denial of Service (DoS) attack. A remote attacker can exploit this vulnerability by issuing a maliciously crafted packet in order to cause an infinite loop and ultimately a DoS condition.
The Oxygen XML products incorporates the Apache Tomcat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2021-41079
The Apache Tomcat third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2021-41079 vulnerability description.
Starting with Oxygen XML Web Author version 24.0, the Apache Tomcat was updated to version 9.0.53, which includes a fix for CVE-2021-41079.
The logback-core package is vulnerable to XML eXternal Entity (XXE) attacks. The buildSaxParser() method in the SaxEventRecorder class processes malicious external entities by default due to an unsafe XML parser configuration.
The Oxygen XML products incorporates the logback-core as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
SYNC-2021-2809
CVSS Score: 5.1
The logback-core third-party library used by Oxygen XML software products is an affected version.
Starting with Oxygen 24.0, the logback-core was updated to version 1.2.6, which fixes this vulnerability.
There is a JavaScript injection vulnerability in WebHelp output. Using XSS attack, an attacker may inject Javascript code by typing specific expression in search field. This exploit requires a user to be tricked into executing malicious code, by searching for specific text.
SYNC-2021-072301
CVSS Score: 5.5
Oxygen XML WebHelp output is vulnerable to cross-site scripting. This vulnerability allows users to inject arbitrary JavaScript code in the WebHelp output thus altering the intended functionality.
To fix this vulnerability, you need to:
The vulnerability has been fixed in version 22.1 starting with build 2021082013 and version 23.1 starting with build 2021082307.
International Components for Unicode (ICU) for C/C++ 63.1 has an integer overflow in number::impl::DecimalQuantity::toScientificString() in i18n/number_decimalquantity.cpp.
CVE-2018-18928
The International Components for Unicode (ICU) package used by Oxygen XML software products is an affected version mentioned in CVE-2018-18928 vulnerability description.
Starting with version 23.1 build 2021082307, the International Components for Unicode (ICU) package was updated to version 69.1, which includes a fix for this vulnerability.
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
CVE-2021-36090
The Apache Commons Compress package used by Oxygen XML software products is an affected version mentioned in CVE-2021-36090 vulnerability description.
Starting with version 23.1 build 2021082307, the Apache Commons Compress package was updated to version 1.21, which includes a fix for this vulnerability.
When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
CVE-2021-35517
The Apache Commons Compress package used by Oxygen XML software products is an affected version mentioned in CVE-2021-35517 vulnerability description.
When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
CVE-2021-35516
The Apache Commons Compress package used by Oxygen XML software products is an affected version mentioned in CVE-2021-35516 vulnerability description.
When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress sevenz package.
CVE-2021-35515
The Apache Commons Compress package used by Oxygen XML software products is an affected version mentioned in CVE-2021-35515 vulnerability description.
basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 has a Memory Allocation with an Excessive Size Value (involving strdupa and alloca for a pathname controlled by a local attacker) that results in an operating system crash.
CVE-2021-33910
The systemd package used by Oxygen Content Fusion software product is an affected version mentioned in CVE-2021-33910 vulnerability description.
Starting with version 4.1.1 build 2021080611, the systemd package was updated to version 245.4-4ubuntu3.11, which includes a fix for CVE-2021-33910.
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
The Oxygen Content Fusion product incorporates Lodash as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2021-23337
CVSS Score: 7.2
The Lodash third-party library used by Oxygen Content Fusion product is an affected version mentioned in CVE-2021-23337 vulnerability description.
Starting with Content Fusion version 4.1 build 2021070912, the Lodash third-party was updated to version 4.17.21, which fixes the CVE-2021-23337.
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494.
The tomcat-catalina package is vulnerable to Remote Code Execution (RCE). The file() method in the FileStore class fails to sufficiently enforce the current FileStore directory when creating a File object, allowing Tomcat instances with certain configurations to deserialize objects from files outside of the file store. An attacker with knowledge of the FileStore location and control of the file passed into the FileStore object as input may submit a maliciously crafted request to trigger arbitrary code execution on affected Tomcat servers.
CVE-2021-25329
The Apache Tomcat 9.0.41 third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2021-25329 vulnerability description.
Starting with Oxygen Feedback 1.4.1, the Apache Tomcat was updated to version 9.0.44, which includes a fix for CVE-2021-25329.
When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.
The tomcat-coyote package is vulnerable to Information Exposure. The process method in AbstractProtocol.class does not properly handle HTTP/2 Cleartext (h2c) connections between multiple clients, responding with the request headers and partial body of one connection to another. An attacker can exploit this to gain access to sensitive information meant for a different client.
CVE-2021-25122
The Apache Tomcat 9.0.41 third-party library used by Oxygen Feedback software products is an affected version mentioned in CVE-2021-25122 vulnerability description.
Starting with Oxygen Feedback 1.4.1, the Apache Tomcat was updated to version 9.0.44, which includes a fix for CVE-2021-25122.
Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
The spring-security-web package is vulnerable to Improper Authorization. The saveContext() method in the HttpSessionSecurityContextRepository class and the contextChanged() method in the HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper class fail to store the HttpSession if the SecurityContext is altered more than once per request. An attacker can leverage this behavior to extend the scope of their existing privileges in order to access functionality that would otherwise be restricted.
The Oxygen Feedback product incorporates the Spring Framework as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2021-22112
The Spring Security 5.4.2 module (part of Spring Framework) third-party library used by Oxygen Feedback software products is an affected version mentioned in CVE-2021-22112 vulnerability description.
Starting with Oxygen Feedback 1.4.1, the Spring Security module was updated to version 5.4.5, which includes a fix for CVE-2021-22112.
An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.
Apache Velocity is vulnerable to Code Injection. The checkObjectExecutePermission method in SecureIntrospectorImpl.class fails to deny access to java.lang.ClassLoader methods. An attacker with template modification abilities can exploit this to execute arbitrary code using a maliciously crafted template when Velocity templates are used in the context of a VelocityView.
The Oxygen product incorporates Velocity as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2020-13936
The Velocity third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2020-13936 vulnerability description.
The express package is vulnerable to HTTP Response Splitting. The redirect() function in the file response.js allows Carriage Return and Line Feed (CRLF) characters in the user input, which is then injected into the HTTP response. A remote attacker can exploit the vulnerability by crafting user input with the CRLF characters which will allow the attacker to set arbitrary HTTP response headers and control the body of the HTTP response. Likewise, any sensitive information, such as authentication tokens that are returned in the HTTP response sequentially after the injection point, will be accessible to the attacker.
The Oxygen Content Fusion product incorporates the express package as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
SYNC-2021-031201
While there is no non-vulnerable version of this component the vulnerability was fixed at the runtime level, within NodeJS itself.
All versions of Oxygen Content Fusion are using a NodeJS version newer than 0.9.4.
Therefore, the Oxygen Content Fusion product is not affected by this vulnerability.
Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.
The engine.io package is vulnerable to Denial of Service (DoS) attacks. The constructor in server.js declares an insecure buffer limit of 100mb for requests. A remote attacker can exploit this vulnerability by leveraging the long polling transport to submit a large POST payload that may encapsulate multiple malicious packets. Processing this payload will cause the application to consume all available resources, ultimately resulting in a DoS condition.
The Oxygen Content Fusion product incorporates the engine.io as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
CVE-2020-36049
The engine.io package third-party library used by Oxygen Content Fusion software product is an affected version mentioned in CVE-2020-36048 vulnerability description.
Starting with Oxygen Content Fusion 4.0, we have limited the maximum size of a package to 1MB.
Therefore, the Oxygen Content Fusion product is not impacted by CVE-2020-36048.
socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.
The socket.io-parser package is vulnerable to Denial of Service (DoS). The decodeString() function in index.js fails to parse large remote strings passed into the application for decoding due to unnecessary memory allocation leading to Uncontrolled Resource Consumption. A remote attacker with control over the input string being decoded by the library may craft a malicious string that would cause an application using the socker.io-parser package to crash.
The Oxygen Content Fusion product incorporates the socket.io-parser as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
The socket.io-parser package third-party library used by Oxygen Content Fusion software product is an affected version mentioned in CVE-2020-36049 vulnerability description.
Therefore, the Oxygen Content Fusion product is not impacted by CVE-2020-36049.
Pivotal Spring Framework 4.1.4 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.
The org.springframework:spring-web package is vulnerable to deserialization of untrusted data leading to Remote Code Execution (RCE). The readRemoteInvocation method in HttpInvokerServiceExporter.class does not properly verify or restrict untrusted objects prior to deserializing them. An attacker can exploit this vulnerability by sending malicious requests containing crafted objects, which when deserialized, execute arbitrary code on the vulnerable system.
CVE-2016-1000027
The Spring Web 5.2.9.RELEASE module(part of Spring Framework) third-party library used by Oxygen Feedback software products is an affected version mentioned in CVE-2016-1000027 vulnerability description. However, the Oxygen Feedback product is not affected by this vulnerability because the HttpInvokerServiceExporter class is not used.
Starting with Oxygen Feedback 1.3.1, the Spring Web module was rebuilt after we removed the classes and packages (org.springframework.remoting.caucho, org.springframework.remoting.httpinvoker) where the vulnerability was reported.
Therefore, the Oxygen Feedback product is not impacted by CVE-2016-1000027.
Apache Software Foundation (ASF) officially released a security advisory, announcing that Apache Tomcat is susceptible to a vulnerability which could allow for reading of arbitrary files on the affected system (CVE-2020-1938). The vulnerability exists in the Apache JServ Protocol (AJP) protocol, which is enabled by default and listens on all configured IP addresses. Successful exploitation of the vulnerability could allow an attacker to read arbitrary files on the affected server. This affects Apache Tomcat versions 6.x, 7.x less than 7.0.100, 8.x less than 8.5.51 and 9.x less than 9.0.31.
Multiple Oxygen XML products incorporate Apache Tomcat. This advisory was opened to address the potential impact on this vulnerability.
CVE-2020-1938
Apache Tomcat used by Oxygen XML software products has an affected version mentioned in CVE-2020-1938 vulnerability description. However, the AJP Connector (where the vulnerability exists) is not enabled and used in Oxygen XML software products. Therefore Oxygen XML software products are not impacted by CVE-2020-1938.
On December 19, 2019, Apache Software Foundation (ASF) officially released a security advisory, announcing that Apache Log4j has a deserialization issue that could cause remote code execution (CVE-2019-17571). Log4j is a Java-based open-source logging tool that includes a SocketServer class which can easily accept serialized log events and deserialize them without authentication. With the aid of deserialization tools, an attacker could use this class to remotely execute arbitrary code. This affects Log4j versions up to 1.2 up to 1.2.17. A similar flaw found in Log4j 2.x has been assigned CVE-2017-5645.
Multiple Oxygen XML products incorporate Apache Log4j as third party library. This advisory was opened to address the potential impact on this third party library vulnerability.
CVE-2019-17571
Log4j third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2019-17571 vulnerability description. However, the Log4j capability to access remote logs through its SocketServer class (where the vulnerability exists) is not enabled and used in Oxygen XML software products. Log4j is used for basic logging within our applications. Therefore Oxygen XML software products are not impacted by CVE-2019-17571.
The handling of XML documents in Oxygen XML Editor/Author/Developer is vulnerable to attacks based on XML External Entities (XXE). This applies only to documents that contain embedded DTDs and Entity declarations.
SYNC-2019-111401
This is a medium-severity issue. Because the embedded XML parser does not offer enough control over the location of files it opens, this XXE vulnerability allows execution of specially crafted XML files. Thus, the attacker can read files that are accessible to the Oxygen XML process currently running. In order to be successful, the attacker should have very good knowledge of the files location in your file system to be able to access the information stored on your computer.
For more information about security at Syncro Soft, see our Security page. If you believe you've found a security vulnerability, see Reporting a new vulnerability.