Security Advisories

Abstract

The HTTP client module superagent is vulnerable to ZIP bomb attacks. In a ZIP bomb attack, the HTTP server replies with a compressed response that becomes several magnitudes larger once uncompressed. If a client does not take special care when processing such responses, it may result in excessive CPU and/or memory consumption. An attacker might exploit such a weakness for a DoS attack. To exploit this the attacker must control the location (URL) that superagent makes a request to.

The Oxygen products incorporate the superagent library as a third‑party component. This advisory was opened to address the potential impact of this third‑party library’s vulnerability.

Detail

CVE-2017-16129

Severity: High

CVSS Score: 7.1

CVE-2017-16129 is a prototype pollution vulnerability in the Async library affecting versions before 2.6.4 and 3.x before 3.2.2. An attacker may abuse the mapValues() method to inject properties (for example via __proto__) into objects created by the iterator, potentially altering application behavior or escalating privileges depending on how polluted objects are later used.

Oxygen Content Fusion is not affected. Analysis of our usage shows no exploitable path.

Starting with Oxygen Content Fusionversion 8.1 build 2025042315 the dependency was upgraded to a non-vulnerable version.

Abstract

The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

The Oxygen products incorporate the npm package "braces" as a third‑party library. This advisory was opened to address the potential impact of this third‑party library vulnerability for Oxygen Content Fusion.

Detail

CVE-2024-4068

Severity: High

CVSS Score: 7.5

The npm package braces, in versions prior to 3.0.3, can enter an infinite parsing loop when given imbalanced brace input. This causes unbounded heap allocations that exhaust memory and crash the process, resulting in a denial of service.

Our investigation determined that braces 3.0.2 was not included in production artifacts. No released Oxygen Content Fusion versions are affected.

Starting with Oxygen Content Fusion version 8.2 build 2025082116, the affected library was removed.

Abstract

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

The Oxygen products incorporate Apache Tomcat as a third‑party component. This advisory was opened to address the potential impact of this third‑party component vulnerability across affected Oxygen products and services.

Detail

CVE-2025-48988

Severity: High

CVSS Score: 7.5

Apache Tomcat used the same limit for both request parameters and multipart parts. Because multipart parts include headers that must be retained, a request with a large number of parts can cause excessive memory usage, leading to a denial of service. Affected Tomcat ranges: 11.0.0‑M1 to 11.0.7, 10.1.0‑M1 to 10.1.41, and 9.0.0.M1 to 9.0.105. The issue is fixed in Tomcat 11.0.8, 10.1.42, and 9.0.106.

The vulnerability impacts products that embed or bundle affected Tomcat versions and that process multipart requests. We confirmed impact and delivered fixes for Oxygen Content Fusion and Oxygen XML Web Author. Where noted, some internal services were not exposed or did not use multipart uploads. Remediation across products was performed by upgrading Tomcat to fixed versions.

Starting with Oxygen Content Fusion version 8.2 build 2025082116 was addressed by updating Tomcat to a non-vulnerable version.

The Oxygen Feedback does not expose multipart endpoints and is not affected; Tomcat was updated to 9.0.106 starting with Oxygen Feedback version 5.2 build 2025071110.

Starting with Oxygen XML Web Author version 27.1.0 build 2025082715 this vulnerability was addressed by upgrading to Tomcat 9.0.106

Abstract

Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default. Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty(). Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests. This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils 1.x are recommended to upgrade to version 1.11.0, which fixes the issue. Users of the artifact org.apache.commons:commons-beanutils2 2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.

The Oxygen products incorporate Apache Commons BeanUtils as a third-party library. This advisory was opened to address the potential impact of this third‑party library’s vulnerability.

Detail

CVE-2025-48734

Severity: High

CVSS Score: 8.8

Vulnerable versions of Apache Commons BeanUtils (prior to 1.11.0) can allow unsafe property access when property names are influenced by untrusted input (for example, paths like declaredClass.classLoader passed to getProperty-like methods). In environments that deserialize untrusted data or where a gadget chain is reachable (such as certain Apache Shiro configurations), this can be abused to access the ClassLoader and may lead to remote code execution.

In our default configurations, Shiro’s rememberMe is not enabled and session data is stored in Redis that is not externally exposed. These factors reduce the likelihood of remote exploitation.

Starting with Oxygen Content Fusion version 8.1 build 2025062312 the vulnerable dependency was updated to a non-vulnerable version.

Starting with Oxygen XML Web Author version 27.1.0.4 build 2025082715 the vulnerable dependency was updated to a non-vulnerable version.

Abstract

pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. This vulnerability is fixed in 42.7.7.

The Oxygen products incorporate the PostgreSQL JDBC Driver (pgjdbc) as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2025-49146

Severity: High

CVSS Score: 8.2

Component: PostgreSQL JDBC Driver (org.postgresql:postgresql). In pgjdbc versions 42.7.4 through 42.7.6, if the driver is configured with channel binding set to required (default is prefer), it may incorrectly allow connections to proceed using authentication methods that do not support channel binding (for example, password, MD5, GSS, or SSPI). This can undermine the intended protection of channel binding and enable man-in-the-middle interception of connections that were expected to be bound. The issue is remediated in pgjdbc 42.7.7.

Based on our review, Oxygen Content Fusion is not affected because channel binding is not used in its database connections. Oxygen Feedback included the vulnerable driver in certain builds; practical risk is low unless channelBinding=require is explicitly configured by an administrator.

Starting with Oxygen Feedback version 5.2 build 2025071110 the affected dependency was updated to a non-vulnerable version.

Abstract

tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories.

The Oxygen products incorporate the tar-fs package (via dockerode) in the Content Fusion config-server component. This advisory was opened to address the potential impact of this third‑party library vulnerability.

Detail

CVE-2025-48387

Severity: High

CVSS Score: 8.7

tar-fs versions prior to 3.0.9, 2.1.3, and 1.16.5 allow a crafted tar archive to extract files outside the intended destination directory, resulting in writes outside the specified path. The issue is patched in tar-fs 3.0.9, 2.1.3, and 1.16.5. A documented workaround is to use the ignore option to exclude non-file/directory entries.

Our assessment concludes the affected functionality is not invoked in product runtime. Therefore, the issue is not exploitable in supported configurations.

Starting with Oxygen Content Fusion version 8.1 build 2025062312 this issue was fixed by upgrading the dependency to a non-vulnerable version.

Abstract

BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.

The Oxygen products incorporate Spring Security (spring-security-crypto) as a third-party library. This advisory was opened to address the potential impact of this third-party library’s vulnerability.

Detail

CVE-2025-22228

Severity: High

CVSS Score: 7.4

Spring Security’s BCryptPasswordEncoder may incorrectly return true when validating passwords longer than 72 characters if the first 72 characters are identical. This weakens password verification for affected code paths that both use BCryptPasswordEncoder and allow passwords exceeding 72 characters. The issue resides in the spring-security-crypto component.

Starting with Oxygen Content Fusion version 8.1 build 2025042315 we updated dependencies to include a non-vulnerable version.

Starting with Oxygen Feedback version 5.2 build 2025042516 we updated dependencies to include a non-vulnerable version.

Abstract

An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package. This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.

The Oxygen products incorporate the tar-fs package (transitively via dockerode in the Content Fusion config-server) as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2024-12905

Severity: High

CVSS Score: 7.5

A flaw in tar-fs allows path traversal and improper link (symlink) resolution when extracting crafted tar archives, enabling writes outside the intended extraction directory. The issue is in index.js and affects tar-fs versions: 0.0.0–1.16.3, 2.0.0–2.1.1, and 3.0.0–3.0.7. The vulnerability is triggered only when tar extraction functionality is invoked on untrusted archives.

Our review indicates that we do not invoke tar-fs at runtime, so the vulnerable code path is not reachable in normal product operation.

Starting with Oxygen Content Fusion version 8.1 build 2025042315 we updated dependencies to include a non-vulnerable tar-fs.

Abstract

Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.

The Oxygen products incorporate Netty as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2025-24970

Severity: High

CVSS Score: 7.5

Component: Netty (io.netty:netty-handler). CVE-2025-24970 affects Netty 4.1.91.Final through 4.1.117.Final. When a specially crafted packet is processed by SslHandler, input validation may fail in certain cases, leading to a native process crash (denial of service). The issue is fixed in Netty 4.1.118.Final. Upstream-reported workarounds include disabling the native SSLEngine or applying code changes to avoid the vulnerable path.

Starting woth Oxygen XML Editor version 27.1 build 2025032106 Netty library was updated to a non-vulnerable release.

Starting with Oxygen Content Fusion version 8.0 build 2025031016 Netty library was updated to a non-vulnerable release.

Abstract

path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp. Upgrade to 0.1.12. This vulnerability exists because of an incomplete fix for CVE-2024-45296.

The Oxygen products incorporate path-to-regexp (transitively via Express) as a third-party library. This advisory was opened to address the potential impact of this third-party library’s vulnerability.

Detail

CVE-2024-52798

Severity: High

CVSS Score: 7.7

CVE-2024-52798 is a Regular Expression Denial of Service (ReDoS) issue in the 0.1.x releases of the path-to-regexp library. In certain cases, the library can generate a regular expression that is susceptible to excessive backtracking, potentially causing performance degradation under malicious input. The issue stems from an incomplete fix for CVE-2024-45296 and is addressed by upgrading to path-to-regexp 0.1.12.

We reviewed our usage of Express (which includes path-to-regexp) in Oxygen Content Fusion. We do not process user-controlled input with custom regular expressions. Given this usage, we assess the vulnerability as not exploitable in our products.

Starting with Oxygen Content Fusion version 8.0 build 2025031016 path-to-regexp was updated to a non-vulnerable version.

Abstract

Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js. This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.

The Oxygen products incorporate the form-data package as a third-party library. This advisory was opened to address the potential impact of this third-party library’s vulnerability.

Detail

CVE-2025-7783

Severity: Critical

CVSS Score: 9.4

A vulnerability in the form-data package allows HTTP Parameter Pollution (HPP) due to use of insufficiently random multipart boundaries. An attacker could exploit weak boundary values in multipart/form-data requests to manipulate downstream parameter parsing. Affected upstream versions are: < 2.5.4, 3.0.0–3.0.3, and 4.0.0–4.0.3. Component: form-data (JavaScript).

We reviewed where form-data is introduced and how it is used in our products. Our analysis indicates our code paths do not invoke form-data’s boundary generation. We have nonetheless updated dependencies to non‑vulnerable versions.

Abstract

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.

The Oxygen products incorporate Spring Framework (spring-webmvc) as a third‑party library. This advisory was opened to address the potential impact of this third‑party library vulnerability.

Detail

CVE-2024-38819

Severity: High

CVSS Score: 7.5

CVE-2024-38819 is a path traversal issue that can affect applications serving static resources through Spring Framework’s functional web stacks (WebMvc.fn or WebFlux.fn). When static resources are served via RouterFunctions from a file system location, crafted HTTP requests may traverse directories and read files accessible to the application process.

We reviewed our usage of Spring Framework components in the impacted services. Our implementations do not serve static resources via RouterFunctions from a file system location and run behind Tomcat, so the vulnerable code path is not present. We assess this finding as not exploitable in our supported configurations.

Abstract

Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function. NOTE: this is disputed by the supplier because there is no realistic threat model: regular expressions are not used with untrusted input.

The Oxygen products incorporate the Async JavaScript library as a third‑party library. This advisory was opened to address the potential impact of this third‑party library’s vulnerability.

Detail

CVE-2024-39249

Severity: High

CVSS Score: 7.5

CVE-2024-39249 describes a potential Regular Expression Denial of Service (ReDoS) issue in Async versions <= 2.6.4 and <= 3.2.5 related to the autoinject function. The upstream supplier disputes exploitability, noting the affected regular expressions are not used with untrusted input in realistic scenarios.

Internal review concluded this is a false positive for our use case. The vulnerable autoinject code path is not invoked by our workloads, and no untrusted input reaches Async in our implementation.

Abstract

body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.

The Oxygen products incorporate the body-parser component as a third-party library within the config-server. This advisory was opened to address the potential impact of this third-party library's vulnerability.

Detail

CVE-2024-45590

Severity: High

CVSS Score: 7.5

body-parser versions prior to 1.20.3 are vulnerable to a denial of service when URL-encoded parsing is enabled. A remote attacker can send specially crafted, repeated requests that exhaust server resources and cause service unavailability. The issue is remediated in body-parser 1.20.3.

We confirmed usage of body-parser 1.20.1 in the Oxygen Content Fusion. Instances that enable URL-encoded request parsing are exposed to the described denial-of-service condition. Starting with Oxygen Content Fusion version 7.1 build 2024100818 we updated to a patched library version.

Abstract

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

The Oxygen products incorporate Protocol Buffers (protobuf-java) as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2024-7254

Severity: High

CVSS Score: 7.5

Parsing untrusted Protocol Buffers data that contains deeply nested groups (SGROUP tags) can trigger unbounded recursion in certain parsing paths (including unknown-field handling, Java Protobuf Lite, and map fields). An attacker can exploit this to exceed stack limits and cause a stack overflow, leading to a denial of service (process crash). Remediation is available by updating to a non-vulnerable protobuf-java version.

We assessed exposure across our products that embed this library. We updated the bundled protobuf-java to a non-vulnerable version in supported fixed releases.

Abstract

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

The Oxygen products incorporate the semver package as a third‑party library. This advisory was opened to address the potential impact of this third‑party library vulnerability.

Detail

CVE-2022-25883

Severity: High

CVSS Score: 7.5

Versions of the semver package prior to 7.5.2 are vulnerable to a Regular Expression Denial of Service (ReDoS) condition in the new Range function when it processes untrusted user input as a range. An attacker could potentially trigger excessive backtracking and CPU consumption by supplying crafted input to code paths that pass such input into semver’s range parsing.

We reviewed usage of semver in our code and dependencies. The flagged instances occur in contexts that do not process untrusted user input for range parsing. Based on this, we concluded there is no exploitable ReDoS path in supported product builds.

Abstract

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid cross site scripting (XSS) attacks. This issue has been addressed in versions 2.5.4 and 3.1.3 of DOMPurify. All users are advised to upgrade. There are no known workarounds for this vulnerability.

The Oxygen products incorporate DOMPurify and Swagger UI as third‑party libraries. This advisory was opened to address the potential impact of this third‑party libraries vulnerability.

Detail

CVE-2024-45801

Severity: High

CVSS Score: 7.3

CVE-2024-45801 is an XSS sanitization bypass in DOMPurify. Special HTML nesting and prototype‑pollution techniques can defeat DOMPurify’s depth checks, enabling cross‑site scripting. The issue is fixed upstream in DOMPurify 2.5.4 and 3.1.3. Swagger UI bundles DOMPurify, so deployments that include Swagger UI may be indirectly exposed. Upstream states there are no known workarounds.

We reviewed all usage of DOMPurify directly and transitively via Swagger UI. Where applicable, we updated DOMPurify to a fixed version or removed Swagger UI.

Oxygen Content Fusion is affected due to swagger-ui in the content-fusion-indexing service. We removed the springdoc-openapi-ui dependency starting with version 7.1 build 2024100818.

In Oxygen XML WebHelp DOMPurify library was updated to a version that fixes this vulnerability. Fixed in 26.1 build 2025053008 and newer versions.

In Oxygen Publishing Engine the vulnerability was fixed via the same DOMPurify update. Fixed in 26.1 build 2025053100 and newer versions.

In Oxygen XML Editor the vulnerability was fixed in 26.1 build 2025060207 and newer versions.

In Oxygen Feedback the Swagger UI is disabled in production. We consider this not exploitable in product deployments.

Abstract

path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.

The Oxygen products incorporate the path-to-regexp library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2024-45296

Severity: High

CVSS Score: 7.5

CVE-2024-45296 is a Regular Expression Denial of Service (ReDoS) in the path-to-regexp library. Certain path patterns that contain two parameters within a single segment, separated by a non-dot character, can generate a regular expression with catastrophic backtracking. In Node.js environments, regex evaluation runs on the main thread, so an attacker-crafted path may cause significant performance degradation and temporary denial of service.

After review, we concluded our products are not affected in supported configurations. Oxygen Content Fusion registers only a catch-all route pattern ("/*"), which does not create the vulnerable expression described by CVE-2024-45296.

Abstract

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running. Specifically, an application is vulnerable when both of the following are true: * the web application uses RouterFunctions to serve static resources * resource handling is explicitly configured with a FileSystemResource location However, malicious requests are blocked and rejected when any of the following is true: * the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html  is in use * the application runs on Tomcat or Jetty

The Oxygen products incorporate Spring WebMVC as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2024-38816

Severity: High

CVSS Score: 7.5

CVE-2024-38816 is a path traversal vulnerability affecting Spring applications that serve static resources using functional endpoints. An application is vulnerable only when it both uses RouterFunctions to serve static resources and configures resource handling with a FileSystemResource location. Deployments protected by the Spring Security HTTP Firewall or running on Tomcat or Jetty block the malicious requests.

After review, Oxygen products do not meet the vulnerable conditions (no RouterFunctions used to serve static resources and services run on Tomcat). Therefore, no supported Oxygen versions are affected.

Abstract

Spring Security Aspects may not correctly locate method security annotations on private methods. This can cause an authorization bypass. Your application may be affected by this if the following are true: * You are using @EnableMethodSecurity(mode=ASPECTJ) and spring-security-aspects, and * You have Spring Security method annotations on a private method In that case, the target method may be able to be invoked without proper authorization. You are not affected if: * You are not using @EnableMethodSecurity(mode=ASPECTJ) or spring-security-aspects, or * You have no Spring Security-annotated private methods

The Oxygen products incorporate Spring Security as a third-party library. This advisory was opened to address the potential impact of this third-party library's vulnerability.

Detail

CVE-2025-41232

Severity: Critical

CVSS Score: 9.1

CVE-2025-41232 is an authorization bypass in Spring Security Aspects. When an application uses @EnableMethodSecurity(mode=ASPECTJ) together with spring-security-aspects and places Spring Security method annotations on private methods, the aspects may fail to correctly locate those annotations. In such cases, the target private method could be invoked without the expected authorization checks. Applications that do not use ASPECTJ mode or that do not annotate private methods are not affected.

Our review concluded there is no functional impact to our product because the necessary preconditions for exploitation are not present in our codebase (no use of @EnableMethodSecurity(mode=ASPECTJ), no spring-security-aspects dependency, and no private methods annotated with Spring Security method annotations).

Abstract

Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.

The Oxygen products incorporate Apache Tomcat as a third‑party component. This advisory was opened to address the potential impact of this third‑party component’s vulnerability.

Detail

CVE-2025-24813

Severity: Critical

CVSS Score: 9.8

A path equivalence issue when handling names containing an internal dot in the Default Servlet, combined with specific server configurations, may allow information disclosure, malicious content injection into uploaded files, or remote code execution. Exploitation requires writes enabled for the Default Servlet (disabled by default), support for partial PUT (enabled by default), and additional environmental preconditions.

Our deployments do not enable "writes" on Tomcat’s Default Servlet, and therefore our products are not exploitable by this issue. We updated bundled Tomcat to fixed upstream versions as part of routine maintenance.

Abstract

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat: - running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true) - running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false) - running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed) Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.

The Oxygen products incorporate Apache Tomcat as a third-party component. This advisory was opened to address the potential impact of this third-party component vulnerability.

Detail

CVE-2024-56337

Severity: Critical

CVSS Score: 9.8

A time-of-check to time-of-use (TOCTOU) race condition in Apache Tomcat may allow unintended write access when specific preconditions are met. The issue is an incomplete mitigation for CVE-2024-50379 and affects Tomcat versions 11.0.0-M1 through 11.0.1, 10.1.0-M1 through 10.1.33, and 9.0.0.M1 through 9.0.97. Exploitation requires running on a case-insensitive filesystem and enabling the default servlet for writes (readonly=false). Depending on the Java version, additional configuration may be required to fully mitigate CVE-2024-50379; Tomcat 11.0.3, 10.1.35, and 9.0.99 include additional checks and defaults that address this condition.

Based on our review, the vulnerability is not exploitable in supported, default deployments of the affected Oxygen products because they run on case-sensitive filesystems and do not enable the Tomcat default servlet for writes (readonly remains true).

Abstract

The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When making any HTTP request, the automatically enabled and self-managed CookieStore (aka cookie jar) will silently replace explicitly defined Cookies with any that have the same name from the cookie jar. For services that operate with multiple users, this can result in one user's Cookie being used for another user's requests.

The Oxygen products incorporate AsyncHttpClient (AHC) as a third‑party library. This advisory was opened to address the potential impact of this third‑party library’s vulnerability.

Detail

CVE-2024-53990

Severity: Critical

CVSS Score: 9.2

CVE-2024-53990 affects the AsyncHttpClient (AHC) library. When issuing HTTP requests, AHC’s automatically managed CookieStore can silently replace explicitly set cookies with cookies of the same name from its cookie jar. In multi-user services, this can cause a user’s cookie to be sent on another user’s request, leading to session mix-up or unintended authorization context.

Based on our review, the vulnerable code path is not exposed in our typical usage patterns. We updated dependencies in current release lines to versions that address this vulnerability.

Abstract

ClassGraph before 4.8.112 was not resistant to XML eXternal Entity (XXE) attacks.

The Oxygen products incorporate ClassGraph (io.github.classgraph:classgraph) as a third‑party library. This advisory was opened to address the potential impact of this third‑party library vulnerability.

Detail

CVE-2021-47621

Severity: High

CVSS Score: 7.5

ClassGraph prior to 4.8.112 is susceptible to XML External Entity (XXE) issues. If attacker‑controlled XML is parsed by the library with external entity resolution enabled, it could lead to unintended file disclosure or outbound network requests under the application’s privileges.

We reviewed how this library is used in our code and confirmed no user‑controlled XML is parsed through ClassGraph. On that basis, our product is not exploitable via this issue.

. We updated the dependency to a non-vulnerable version in Oxygen Feedback 5.2.3 build 2025071110.

Abstract

In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171980069

The Oxygen products incorporate OkHttp as third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2021-0341

Severity: High

CVSS Score: 7.5

CVE-2021-0341 is a flaw in OkHttp’s hostname verification logic (OkHostnameVerifier.verifyHostname) that, in certain edge cases, may accept a TLS certificate for the wrong domain. This could enable man-in-the-middle scenarios and result in remote information disclosure. The issue concerns hostname verification behavior and does not require user interaction to trigger.

After review, our conclusion is that our products are not affected in practice. We identified OkHttp 3.14.9 is only used with a single, fixed HTTPS endpoint, with default TLS and hostname verification left intact. We found no code paths that override verification or expose user-controlled hostnames.

Abstract

Apache Tomcat was affected by a TOCTOU (Time-of-check Time-of-use) race condition vulnerability during JSP compilation, which could allow Remote Code Execution (RCE) when the default servlet is writable and the file system is case-insensitive. This vulnerability is tracked under CVE-2024-50379 and affects versions: 11.0.0-M1 through 11.0.1, 10.1.0-M1 through 10.1.33, and 9.0.0.M1 through 9.0.97. The issue was addressed in versions 11.0.2, 10.1.34, and 9.0.98.

Oxygen products incorporate Apache Tomcat components internally or as part of embedded servers. This advisory addresses the potential implications of this vulnerability on Oxygen deployments.

Detail

CVE-2024-50379

Severity: High

CVSS Score: 8.1

CVE-2024-50379 describes a race condition in Apache Tomcat's JSP compilation logic that could lead to Remote Code Execution (RCE) on systems where:
(1) the default servlet is write-enabled, and
(2) the underlying filesystem is case-insensitive (e.g., Windows, macOS by default).

Oxygen Content Fusion and Web Author are delivered using Linux-based container images (Ubuntu) and are deployed on case-sensitive filesystems. Additionally, Tomcat’s default servlet remains in its default read-only configuration.

Oxygen Feedback is also packaged in Linux containers and does not expose writable configurations for the default servlet. Despite the low risk, tomcat-embed-core was upgraded to version 9.0.98 as a precaution.

Based on the above, no Oxygen product is affected by this vulnerability in a practical or exploitable way.

Abstract

A vulnerability in the socket.io framework could allow a specially crafted packet to crash the Node.js server process due to an uncaught exception. This denial-of-service (DoS) vulnerability is tracked as CVE-2024-38355 and was resolved in socket.io version 4.6.2.

Oxygen Content Fusion uses socket.io to support real-time user notifications. This advisory clarifies the exposure and mitigation applied to prevent application-level service disruption.

Detail

CVE-2024-38355

Severity: High

CVSS Score: 7.3

In vulnerable versions of socket.io, a specially crafted packet could lead to an uncaught error that causes the Node.js process to exit, interrupting real-time communication services.

This issue affected the notification subsystem in Oxygen Content Fusion. If triggered, the attack would temporarily disable real-time updates until the notification server was restarted.

Starting with Oxygen Content Fusion 7.1 build 2024100818 the vulnerability was mitigated by updating socket.io to version 4.6.2

Abstract

socket.io-parser is the encoding and decoding engine behind socket.io, used for serializing messages between clients and servers. In affected versions, a specially crafted packet could lead to an uncaught exception, causing the Node.js process to crash.

CVE-2023-32695 tracks this vulnerability, which was resolved in version 4.2.3 of socket.io-parser. Oxygen Content Fusion used this library as part of its real-time notification system.

Detail

CVE-2023-32695

Severity: High

CVSS Score: 7.5

Malformed packets could cause unhandled exceptions in the socket.io-parser, resulting in crashes of the Node.js process. This may temporarily disrupt real-time features.

In Oxygen Content Fusion, the real-time notification system is non-critical; if affected, users may experience a brief delay in updates until the process restarts.

Starting with Oxygen Content Fusion 7.1 build 2024100818 the vulnerable package has been updated, and notifications remain fully functional post-upgrade.

Abstract

The Go runtime, when used with gosu, does not apply different behavior for binaries executed with setuid/setgid bits. This can lead to privilege escalation in scenarios where I/O file descriptors are closed or manipulated. This vulnerability is identified as CVE-2023-29403 and primarily affects Unix platforms.

In affected environments, a compromised binary could open sensitive file descriptors under elevated privileges or leak memory/register content if terminated improperly. Oxygen Content Fusion included gosu in specific Redis-based initialization containers.

Detail

CVE-2023-29403

Severity: High

CVSS Score: 7.8

On Unix systems, the Go runtime does not isolate setuid/setgid behavior. When a Go-based utility like gosu is executed with standard I/O file descriptors closed, it can result in unexpected behavior such as reading/writing elevated data or leaking registers.

Content Fusion versions up to v7.0 included gosu v1.12, which did not include mitigations for CVE-2023-29403. However, gosu was not configured with setuid/setgid, rendering the vulnerability non-exploitable in Content Fusion environment.

Starting with Content Fusion v7.1 build 2024100818, the gosu binary was removed entirely from Redis containers to prevent any future exposure to such runtime issues.

Abstract

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.

The Oxygen products incorporate Apache Tomcat as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2024-34750

Severity: Critical

CVSS Score: 7.5

The Apache Tomcat third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2024-34750 vulnerability description. However, Oxygen products do not have HTTP/2 enabled. For that reason Oxygen products are not affected by this vulnerability.

Starting with Oxygen Content Fusion v7.1 build 2024100818 Apache Tomcat library was updated to a version that fixes this vulnerability.

Starting with Oxygen Feedback v5.0 build 2024090417 Apache Tomcat library was updated to a version that fixes this vulnerability.

Starting with Oxygen Feedback v27.0.0 build 2024112223 Apache Tomcat library was updated to a version that fixes this vulnerability.

Abstract

ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

The Oxygen products incorporate ws as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2024-37890

Severity: Critical

CVSS Score: 7.5

The ws third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2024-37890 vulnerability description. However, successful exploitation of this vulnerability in Oxygen products would only affect notification functionality without compromising critical systems or data. For that reason within Oxygen products context, the impact is considered Low.

Starting with Oxygen Content Fusion v7.1 build 2024100818 ws library was updated to a version that fixes this vulnerability.

Abstract

In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.

The Oxygen products incorporate Spring Security as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2024-22257

Severity: High

CVSS Score: 8.2

The Spring Security third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2024-22257 vulnerability description. However, Oxygen products do not use AuthenticatedVoter#vote. For that reason Oxygen products are not affected by this vulnerability.

Starting with Oxygen Feedback v5.0 build 2024090417, the Spring Security was updated to a version which fixes this vulnerability.

Abstract

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.

The Oxygen products incorporate DOMPurify as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2024-48910

Severity: Critical

CVSS Score: 9.1

The DOMPurify third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2024-48910 vulnerability description. However, DOMPurify features used in Oxygen products are not publicly accessible. For that reason Oxygen products are not affected by this vulnerability.

Starting with Oxygen Feedback v5.1 build 2024121116 DOMPurify library was updated to a version that fixes this vulnerability.

Abstract

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.

The Oxygen products incorporate DOMPurify as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2024-47875

Severity: Critical

CVSS Score: 10.0

The DOMPurify third-party library used by Oxygen XML products is among the affected version mentioned in CVE-2024-47875 vulnerability description. However, DOMPurify features used in Oxygen Feedback are not publicly accessible.

DOMPurify is used in various user-facing components of Oxygen XML WebHelp for data sanitization. However, Oxygen XML WebHelp also implements other layers of user input data sanitization.

For that reason Oxygen products are not affected by this vulnerability.

Abstract

Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.

The Oxygen products incorporate Apache Tomcat as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2024-52316

Severity: Critical

CVSS Score: 9.8

The Apache Tomcat third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2024-52316 vulnerability description. However, Oxygen products do not use ServerAuthContext. For that reason Oxygen products are not affected by this vulnerability.

Starting with Oxygen Content Fusion v7.1.1 build 2024120911 Apache Tomcat library was updatet to a version that fixes this vulnerability.

Starting with Oxygen XML Web Author v27.0.0 build 2024112223 Apache Tomcat library was updated to a version that fixes this vulnerability.

Abstract

Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: * It must be a WebFlux application * It must be using Spring's static resources support * It must have a non-permitAll authorization rule applied to the static resources support

The Oxygen products incorporate gosu as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2024-38821

Severity: Critical

CVSS Score: 9.1

The Spring WebFlux third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2024-38821 vulnerability description. However, Oxygen Content Fusion and Oxygen Feedback are not WebFlux applications. For that reason Oxygen products are not affected by this vulnerability.

Starting with Oxygen Content Fusion v7.1.1 build 2024120911 Spring WebFlux library was updatet to a version that fixes this vulnerability.

Starting with Oxygen Feedback v5.1 build 2024121116 Spring WebFlux library was updatet to a version that fixes this vulnerability.

Abstract

The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

The Oxygen products incorporate gosu as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2024-24790

Severity: Critical

CVSS Score: 9.8

The gosu third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2024-24790 vulnerability description. However, Oxygen Content Fusion does not use IPv4-mapped IPv6 addresses. For that reason Oxygen products are not affected by this vulnerability.

Starting with Oxygen Content Fusion v7.1 build 2024100818 gosu library was removed.

Abstract

Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.

The Oxygen products incorporate gosu as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2023-24540

Severity: Critical

CVSS Score: 9.8

The gosu third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2023-24540 vulnerability description. However, Oxygen Content Fusion does not use Go templates. For that reason Oxygen products are not affected by this vulnerability.

Starting with Oxygen Content Fusion v7.1 build 2024100818 gosu library was removed.

Abstract

Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution.

The Oxygen products incorporate gosu as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2023-24538

Severity: Critical

CVSS Score: 9.8

The gosu third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2023-24538 vulnerability description. However, Oxygen Content Fusion does not use Go templates. For that reason Oxygen products are not affected by this vulnerability.

Starting with Oxygen Content Fusion v7.1 build 2024100818 gosu library was removed.

Abstract

Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.

The Oxygen products incorporate gosu as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2022-23806

Severity: Critical

CVSS Score: 9.1

The gosu third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2022-23806 vulnerability description. However, gosu used in Oxygen Content Fusion does not use crypto/elliptic. For that reason Oxygen products are not affected by this vulnerability.

Starting with Oxygen Content Fusion v7.1 build 2024100818 gosu library was removed.

Abstract

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

The Oxygen products incorporate Spring Framework as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2024-22259

Severity: High

CVSS Score: 8.1

The Spring Framework third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2024-22259 vulnerability description. However, Oxygen Feedback does not use URIComponentsBuilder to parse externally provided URL. For that reason Oxygen products are not affected by this vulnerability.

Starting with Oxygen Feedback v5.0 build 2024090417, the Spring Framework was updated to a version which fixes this vulnerability.

Abstract

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

The Oxygen products incorporate Spring Framework as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2024-22262

Severity: High

CVSS Score: 8.1

The Spring Framework third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2024-22262 vulnerability description. However, Oxygen products do not use URIComponentsBuilder to parse externally provided URL. For that reason Oxygen products are not affected by this vulnerability.

Starting with Oxygen Feedback v5.0 build 2024090417, the Spring Framework was updated to a version which fixes this vulnerability.

Abstract

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.

The Oxygen products incorporate Spring Framework as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2024-22243

Severity: High

CVSS Score: 8.1

The Spring Framework third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2024-22243 vulnerability description. However, Oxygen products do not use URIComponentsBuilder to parse externally provided URL. For that reason Oxygen products are not affected by this vulnerability.

Starting with Oxygen Feedback v5.0 build 2024090417, the Spring Framework was updated to a version which fixes this vulnerability.

Abstract

pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected.

The Oxygen products incorporate pgjdbc as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2024-1597

Severity: Critical

CVSS Score: 9.8

The pgjdbc third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2024-1597 vulnerability description. However, Oxygen products use the pgjdbc library in the default mode. For that reason are not affected by this vulnerability.

Starting with Oxygen Content Fusion v6.2 build 2024040514 pgjdbc library was updated to a version which fixes this vulnerability.

Starting with Oxygen Feedback v5.0 build 2024090417 pgjdbc library was updated to a version which fixes this vulnerability.

Abstract

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

The Oxygen products incorporate Apache Tomcat as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2024-23672

Severity: High

CVSS Score: 7.5

The Apache Tomcat third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2024-23672 vulnerability description.

Starting with Oxygen XML Web Author v26.1.0 build 2024032115 Apache Tomcat library was updated to a version which fixes this vulnerability.

Abstract

Oxygen XML Web Author v26.0.0 and older and Oxygen Content Fusion v6.1 and older are vulnerable to Reflected Cross-Site Scripting (XSS) for malicious URLs.

Detail

SYNC-2024-020601

Severity: High

CVSS Score: 8.1

Oxygen XML Web Author v26.0.0 and older and Oxygen Content Fusion v6.1 and older are vulnerable to Reflected Cross-Site Scripting (XSS) by crafting a malicious request that injects unauthorized JavaScript code.

Abstract

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.

The Oxygen products incorporate Tomcat as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2023-46589

Severity: High

CVSS Score: 7.5

The Apache Tomcat third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2023-46589 vulnerability description. However, Oxygen Feedback product's design incorporates security measures that mitigates the exploitation of this vulnerability. For that reason, Oxygen Feedback is not affected by this vulnerability.

Starting with Oxygen XML Web Author v26.0.0.1 build 2024022608 Apache Tomcat library was updated to a version which fixes this vulnerability.

Starting with Oxygen Feedback v4.1 build 2024013118 Apache Tomcat library was updated to a version which fixes this vulnerability.

Abstract

In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, a malicious user can send a request using a specially crafted URL that can lead to a directory traversal attack. Specifically, an application is vulnerable if Reactor Netty HTTP Server is configured to serve static resources.

The Oxygen products incorporate Reactor Netty HTTP Server as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2023-34062

Severity: High

CVSS Score: 7.5

The Reactor Netty HTTP Server third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2023-34062 vulnerability description. However, Reactor Netty HTTP Server in Oxygen XML products is not configured to serve static resources. For that reason, Oxygen XML products are not affected by this vulnerability.

Abstract

A serialization vulnerability in logback receiver component part of logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.

The Oxygen products incorporate logback as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2023-6481

Severity: High

CVSS Score: 7.5

The logback third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2023-6481 vulnerability description. However, Oxygen XML products do not use receiver component part of logback. For that reason, Oxygen XML products are not affected by this vulnerability.

Abstract

In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable if Reactor Netty HTTP Server built-in integration with Micrometer is enabled.

The Oxygen products incorporate Reactor Netty HTTP Server as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2023-34054

Severity: High

CVSS Score: 7.5

The Reactor Netty HTTP Server third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2023-34054 vulnerability description. However, Oxygen XML products do not use metrics / Micrometer. For that reason, Oxygen XML products are not affected by this vulnerability.

Abstract

The RabbitMQ Java client library allows Java and JVM-based applications to connect to and interact with RabbitMQ nodes. `maxBodyLebgth` was not used when receiving Message objects. Attackers could send a very large Message causing a memory overflow and triggering an OOM Error. Users of RabbitMQ may suffer from DoS attacks from RabbitMQ Java client which will ultimately exhaust the memory of the consumer. This vulnerability was patched in version 5.18.0.

The Oxygen products incorporate RabbitMQ Java as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2023-46120

Severity: High

CVSS Score: 7.5

The RabbitMQ Java third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2023-46120 vulnerability description. However, Oxygen Content Fusion product's design incorporates security measures that mitigates the exploitation of this vulnerability. For that reason, Oxygen XML products are not affected by this vulnerability.

Starting with Oxygen Content Fusion v7.1 build 2024100818 RabbitMQ Java library was removed.

Abstract

Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.

The Oxygen products incorporate JSON-Java as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-5072

Severity: High

CVSS Score: 7.5

The JSON-Java third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-5072 vulnerability description.
Oxygen XML products do not parse JSON user input. For that reason, Oxygen XML products are not affected by this vulnerability.

Abstract

A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

The Oxygen products incorporate GNU C as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-4911

Severity: High

CVSS Score: 7.8

The GNU C third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-4911 vulnerability description. Oxygen Feedback product's design incorporates security measures that significantly reduce the exploitation risks of this vulnerability. For that reason we rated this vulnerability as low.

Abstract

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

The Oxygen products incorporate Netty as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2023-44487

Severity: Critical

CVSS Score: 7.5

The netty third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2023-44487 vulnerability description. However, Oxygen Content Fusion uses the Netty library only for internal network. For that reason we rated this vulnerability as low.

Abstract

Arbitrary File Overwrite in Eclipse JGit <= 6.6.0 In Eclipse JGit, all versions <= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem. This can happen on checkout (DirCacheCheckout), merge (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command. The issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration. Setting git configuration option core.symlinks = false before checking out avoids the problem.

The Oxygen products incorporate JGit as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-4759

Severity: High

CVSS Score: 8.8

The JGit third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-4759 vulnerability description.
Oxygen Content Fusion runs on a case-sensitive filesystem. For that reason, Oxygen Content Fusion is not affected by this vulnerability.

Abstract

A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.

The Oxygen products incorporate logback as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2023-6378

Severity: High

CVSS Score: 7.5

The logback third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2023-6378 vulnerability description. However, Oxygen XML products do not use receiver component part of logback. For that reason, Oxygen XML products are not affected by this vulnerability.

Abstract

A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack.

The Oxygen products incorporate netty as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-4586

Severity: High

CVSS Score: 7.4

The netty third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-4586 vulnerability description.
Oxygen Content Fusion uses netty library only to connect internally and doesn't use hostname verification with this library. For that reason, Oxygen XML products are not affected by this vulnerability.

Abstract

This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake.
When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes.
If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there.
The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.

The Oxygen products incorporate curl, libcurl4 as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2023-38545

Severity: Critical

CVSS Score: 9.8

The curl, libcurl4 third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2023-38545 vulnerability description. However, Oxygen XML Feedback is a Java based application. For that reason we rated this vulnerability as low.

Abstract

This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution.

The Oxygen products incorporate chart.js as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2020-7746

Severity: Critical

CVSS Score: 9.8

The chart.js third-party library used by Oxygen XML products is an affected version mentioned in CVE-2020-7746 vulnerability description. However, since this library doesn't use user controlled options, this vulnerability does not affect Oxygen products.

Abstract

Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.

The Oxygen products incorporate Apache XML Graphics Batik as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-44729

Severity: High

CVSS Score: 7.1

The Apache XML Graphics Batik third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-44729 vulnerability description.

Starting with Oxygen XML Author v25.1 build 2023110913 Apache XML Graphics Batik library was updated to a version which fixes this vulnerability.

Starting with Oxygen XML Developer v25.1 build 2023110913 Apache XML Graphics Batik library was updated to a version which fixes this vulnerability.

Starting with Oxygen XML Editor v25.1 build 2023110913 Apache XML Graphics Batik library was updated to a version which fixes this vulnerability.

Starting with Oxygen XML Author v26.0 build 2023100905 Apache XML Graphics Batik library was updated to a version which fixes this vulnerability.

Starting with Oxygen XML Developer v26.0 build 2023100905 Apache XML Graphics Batik library was updated to a version which fixes this vulnerability.

Starting with Oxygen XML Editor v26.0 build 2023100905 Apache XML Graphics Batik library was updated to a version which fixes this vulnerability.

Starting with Oxygen XML Web Author v26.0 build 2023101015 Apache XML Graphics Batik library was updated to a version which fixes this vulnerability.

Starting with Oxygen Publishing Engine v25.1 build 2023110913 Apache XML Graphics Batik library was updated to a version which fixes this vulnerability.

Starting with Oxygen Publishing Engine v26.0 build 2023100523 Apache XML Graphics Batik library was updated to a version which fixes this vulnerability.

Abstract

Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests. Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+

The Oxygen products incorporate Apache Shiro as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-34478

Severity: Critical

CVSS Score: 9.8

The Apache Shiro third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-34478 vulnerability description.

Starting with Oxygen XML Web Author 26.0.0 build 2023101015 Apache Shiro library was updated to a version which fixes this vulnerability.

Starting with Oxygen Content Fusion 6.0 build 2023110109 Apache Shiro library was updated to a version which fixes this vulnerability.

Abstract

A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specially crafted data to the application, for example, a malicious S/MIME attachment.

The Oxygen products incorporate Libksb as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-3515

Severity: Critical

CVSS Score: 9.8

The Libksba third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-3515 vulnerability description. However, since Oxygen products does not use Libksb library at runtime, this vulnerability does not affect Oxygen products and will be removed in future versions.

Starting with Oxygen Content Fusion v6.0 build 2023110109 Libksb library was removed.

Abstract

Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass.

The Oxygen products incorporate Spring Security as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-34034

Severity: Critical

CVSS Score: 9.8

The Spring Security third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-34034 vulnerability description. However, since Oxygen products does not use WebFlux controllers, this vulnerability does not affect Oxygen products.

Starting with Oxygen Feedback v3.0.3 build 2023083012 Spring Security library was updated to a version which fixes this vulnerability.

Starting with Oxygen Content Fusion v6.0 build 2023110109 Spring Security library was updated to a version which fixes this vulnerability.

Abstract

Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.

The Oxygen products incorporate Thymeleaf as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-38286

Severity: High

CVSS Score: 7.5

The Thymeleaf third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-38286 vulnerability description. However, since Oxygen products does not use Spring Boot Admin Server, this vulnerability does not affect Oxygen products.

Starting with Oxygen XML Web Author v26.0.0 build 2023101015 Thymeleaf library was updated to a version which fixes this vulnerability.

Abstract

Multiple CRLF injection vulnerabilities in AIST NetCat 3.12 and earlier allow remote attackers to have an unknown impact via unspecified vectors involving (1) a %0a sequence in a cookie and (2) the add.php file.

The Oxygen products incorporate AIST NetCat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2008-5730

Severity: High

CVSS Score: 7.5

The AIST NetCat third-party library used by Oxygen XML products is an affected version mentioned in CVE-2008-5730 vulnerability description. However, Oxygen XML Author, Oxygen XML Developer and Oxygen XML Editor are desktop applications, not server applications. Therefor, we are not affected by this vulnerability.

Abstract

GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.

The Oxygen products incorporate Okio as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-3635

Severity: High

CVSS Score: 7.5

The Okio third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-3635 vulnerability description. However, since user cannot control the GZIP archive, this vulnerability does not affect Oxygen XML products.

Abstract

In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.

The Oxygen products incorporate Spring Boot as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-20883

Severity: High

CVSS Score: 7.5

The Spring Boot third-party library used by Oxygen Content Fusion is an affected version mentioned in CVE-2023-20883 vulnerability description. However, since the server is not accessible through a proxy server, this vulnerability does not affect Oxygen Content Fusion.

Starting with Oxygen Content Fusion v5.1.1 build 2023072112 Spring Boot library was updated to a version that fixes this vulnerability.

Abstract

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

The Oxygen products incorporate Apache Tomcat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-28709

Severity: High

CVSS Score: 7.5

The Apache Tomcat third-party library used by Oxygen XML Web Author is an affected version mentioned in CVE-2023-28709 vulnerability description. However, since default HTTP connector settings are used, this vulnerability does not affect Oxygen XML Web Author.

Abstract

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.

The Oxygen products incorporate hutool-json as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-45688

Severity: High

CVSS Score: 7.5

The hutool-json third-party library used by Oxygen Content Fusion is an affected version mentioned in CVE-2022-45688 vulnerability description. Starting with Oxygen Content Fusion 5.1.1 build 2023072112 the affected library was updated to version that fixes this vulnerability.

Since Oxygen Publishing Engine doesn't use XML.toJSONObject, this vulnerability does not affect Oxygen Publishing Engine. However, Oxygen Publishing Engine starting with v25.1 build 2023031411 the affected library was updated to a version that fixes this vulnerability.

Starting with Oxygen License Server v25.1 build 2023031316 the affected library was updated to a version that fixes this vulnerability

Abstract

Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

The Oxygen products incorporate Google Guava as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-2976

Severity: High

CVSS Score: 7.5

The Google Guava third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-2976 vulnerability description. However, since Oxygen XML products do not employ the FileBackedOutputStream class, we classify this vulnerability as low.

Starting with Oxygen XML v25.1 build 2023070306 Google Guava library was updated to v2.29 which fixes this vulnerability.

Abstract

An issue was discovered jtidy thru r938 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

The Oxygen products incorporate jtidy as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-34623

Severity: High

CVSS Score: 7.5

The jtidy third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-34623 vulnerability description.

Starting with Oxygen XML v25.1 build 2023070306 jtidy library was updated to a version which fixes this vulnerability.

Abstract

An issue was discovered htmlcleaner thru = 2.28 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

The Oxygen products incorporate htmlcleaner as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-34624

Severity: High

CVSS Score: 7.5

The htmlcleaner third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-34624 vulnerability description.

Starting with Oxygen XML v25.1 build 2023070306 htmlcleaner library was updated to v2.29 which fixes this vulnerability.

Abstract

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

The Oxygen products incorporate Spring Framework as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-20860

Severity: High

CVSS Score: 7.5

The Spring Framework third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-20860 vulnerability description. However, the Oxygen products do not use mvcMatchers. For that reason, the Oxygen XML products are not affected by this vulnerability.

Abstract

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.

The Oxygen products incorporate Spring Security as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-20862

Severity: Critical

CVSS Score: 9.8

The Spring Security third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-20862 vulnerability description. However, the Oxygen products do not use the vulnerable code. For that reason, Oxygen XML products are not affected.

Abstract

In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.6+. 2.7.x users should upgrade to 2.7.11+. Users of older, unsupported versions should upgrade to 3.0.6+ or 2.7.11+.

The Oxygen products incorporate Spring Boot as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-20873

Severity: Critical

CVSS Score: 9.8

The Spring Boot third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-20873 vulnerability description. However, the Oxygen products are not deployed to to Cloud Foundry. For that reason, Oxygen XML products are not affected by this vulnerability.

Abstract

A directory traversal vulnerability in Oxygen XML Web Author before 25.0.0.3 build 2023021715 and Oxygen Content Fusion before 5.0.3 build 2023022015 allows an attacker to read files from a WEB-INF directory via a crafted HTTP request. (XML Web Author 24.1.0.3 build 2023021714 and 23.1.1.4 build 2023021715 are also fixed versions.)

Detail

SYNC-2023-042301

Severity: Medium

CVSS Score: 5.3

Using special requests, a remote attacker may read files from WEB-INF directory of Oxygen XML Web Author application. However, by default, this directory does not contain sensitive information so the severity of this issue should be seen as low.

Abstract

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

The Oxygen products incorporate Apache Commons FileUpload as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-24998

Severity: High

CVSS Score: 7.5

The Apache Commons FileUpload third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-24998 vulnerability description.

Starting with Oxygen XML Web Author v25.1 build 2023031320 Apache Tomcat library was updated to v9.0.73 which fixes this vulnerability.

Abstract

Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

The Oxygen products incorporate Woodstox as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-40152

Severity: High

CVSS Score: 7.5

The Woodstox third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-40152 vulnerability description. However, the Oxygen products does not enable DTD support. For that reason, Oxygen XML products are not affected by this vulnerability.

Starting with Oxygen XML Web Author v25.1.0 build 2023031320 Woodstox library was updated to a newer version which fixes this vulnerability.

Abstract

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.

The Oxygen products incorporate OpenSSL as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-0286

Severity: High

CVSS Score: 7.4

The OpenSSL third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-0286 vulnerability description. However, the Oxygen products does not enable CRL checking. For that reason, Oxygen XML products are not affected by this vulnerability.

Abstract

Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.

The Oxygen products incorporate cookiejar as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-25901

Severity: High

CVSS Score: 7.5

The cookiejar third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-25901 vulnerability description. However, the Oxygen products does not use the Cookie.parse function. For that reason, we have rated the severity level for our products as low.

Starting with Oxygen Feedback v3.0 build 2023031610 cookiejar library was updated to v2.1.4 which fixes this vulnerability.

Abstract

An issue in the fetch() method in the BasicProfile class of org.ini4j before v0.5.4 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.

The Oxygen products incorporate org.ini4j as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-41404

Severity: High

CVSS Score: 7.5

The org.ini4j third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-41404 vulnerability description. However, the Oxygen products does not call the affected method. For that reason, Oxygen XML products are not affected by this vulnerability.

Starting with Oxygen XML Web Author v25.1.0 build 2023031320 org.ini4j library was removed.

Abstract

In versions `<=8.5.1` of jsonwebtoken library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the `jwt.verify()` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.

The Oxygen products incorporate jsonwebtoken as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-23540

Severity: High

CVSS Score: 7.6

The jsonwebtoken third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-23540 vulnerability description.

Starting with Oxygen Content Fusion v5.0.3 build 2023022015 the jsonwebtoken library was updated to v9.0.0 which fixes this vulnerability.

Abstract

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching.

The Oxygen products incorporate Apache Shiro as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-22602

Severity: High

CVSS Score: 7.5

The Apache Shiro third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-22602 vulnerability description. However, the Oxygen products does not use Apache Shiro with Spring Boot. For that reason, our products are not affected by this vulnerability.

Abstract

The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.

The Oxygen products incorporate Apache Tomcat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-45143

Severity: High

CVSS Score: 7.5

The Apache Tomcat third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-45143 vulnerability description. However, the Oxygen products does not call the affected code. For that reason, Oxygen XML products are not affected.

Abstract

Luxon is a library for working with dates and times in JavaScript. On the 1.x branch prior to 1.38.1, the 2.x branch prior to 2.5.2, and the 3.x branch on 3.2.1, Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks. This issue also appears in Moment as CVE-2022-31129. Versions 1.38.1, 2.5.2, and 3.2.1 contain patches for this issue. As a workaround, limit the length of the input.

The Oxygen products incorporate Luxon as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-22467

Severity: High

CVSS Score: 7.5

The Luxon third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-22467 vulnerability description. However, the Oxygen products does not permit users input. For that reason, Oxygen XML products are not affected.

Abstract

The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments.

The Oxygen products incorporate H2 Database as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-45868

Severity: High

CVSS Score: 7.8

The H2 Database third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-45868 vulnerability description. However, the Oxygen products does not start the library with -webAdminPassword argument. For that reason, Oxygen XML products are not affected by this vulnerability

Abstract

In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution.

The Oxygen products incorporate Apache SOAP as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-45378

Severity: Critical

CVSS Score: 9.8

The Apache SOAP third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-45378 vulnerability description. However, the Oxygen products doesn't use RPCRouterServlet. For that reason, our products are not affected by this vulnerability.

Abstract

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).

The Oxygen products incorporate qs as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-24999

Severity: High

CVSS Score: 7.5

The qs third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-24999 vulnerability description.

Starting with Oxygen Content Fusion v5.0.2 build 2022121305 qs library was updated to v6.11.0 which fixes this vulnerability.

Abstract

Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.

The Oxygen products incorporate Netty as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-41881

Severity: High

CVSS Score: 7.5

The Netty third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-41881 vulnerability description.

Starting with Oxygen XML Author v25.0 build 2023013006 Netty library was updated to v4.1.86.Final which fixes this vulnerability.

Starting with Oxygen XML Developer v25.0 build 2023013006 Netty library was updated to v4.1.86.Final which fixes this vulnerability.

Starting with Oxygen XML Editor v25.0 build 2023013006 Netty library was updated to v4.1.86.Final which fixes this vulnerability.

Abstract

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

The Oxygen products incorporate SnakeYAML as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-25857

Severity: High

CVSS Score: 7.5

The SnakeYAML third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-25857 vulnerability description.

Abstract

In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1

The Oxygen products incorporate FasterXML jackson-databind as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-42003

Severity: High

CVSS Score: 7.5

The FasterXML jackson-databind third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-42003 vulnerability description. However, the Oxygen products does not enable the feature UNWRAP_SINGLE_VALUE_ARRAYS. For that reason, Oxygen XML products are not affected by this vulnerability.

Abstract

Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.

The Oxygen products incorporate Socket.io as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-2421

Severity: Critical

CVSS Score: 9.8

The Socket.io third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-2421 vulnerability description.

Abstract

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.

The Oxygen products incorporate Engine.IO as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-41940

Severity: High

CVSS Score: 7.1

The Engine.IO third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-41940 vulnerability description.

Abstract

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.

The Oxygen products incorporate SnakeYaml as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-1471

Severity: Critical

CVSS Score: 9.8

The SnakeYaml third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-1471 vulnerability description. However, the Oxygen products does not use the Constructor() as described. For that reason, Oxygen XML products are not affected by this vulnerability.

Abstract

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

The Oxygen products incorporate FasterXML jackson-databind as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-42004

Severity: High

CVSS Score: 7.5

The FasterXML jackson-databind third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-42004 vulnerability description. However, the Oxygen products does not enable the feature UNWRAP_SINGLE_VALUE_ARRAYS. For that reason, Oxygen XML products are not affected by this vulnerability.

Starting with Oxygen Content Fusion v5.0.2 build 2022121305 FasterXML jackson-databind library was updated to v2.13.4.2 which fixes this vulnerability.

Starting with Oxygen Feedback v2.1.4 build 2022111716 FasterXML jackson-databind library was updated to v2.13.4.2 which fixes this vulnerability.

Abstract

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.

The Oxygen products incorporate Batik as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-40146

Severity: High

CVSS Score: 7.5

The Batik third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-40146 vulnerability description. However, the Oxygen products have security mechanism that blocks connections to untrusted hosts. For that reason, we have rated the severity level for our products as low.

Abstract

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.

The Oxygen products incorporate protobuf as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-3171

Severity: High

CVSS Score: 7.5

The protobuf third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-3171 vulnerability description. However, the Oxygen products does not read arbitrary data in protobuf format. For that reason, Oxygen XML products are not affected by this vulnerability.

Starting with Oxygen XML Web Author v25.0.0.1 build 2022111708 protobuf library was updated to a newer version which fixes this vulnerability.

Abstract

The Shiro package is vulnerable to Improper Authentication. The doFilter() function in the OncePerRequestFilter class executes the filter once per request, even when forwarding or including via javax.servlet.RequestDispatcher. A remote attacker can send a specially crafted HTTP request to bypass security restrictions and gain unauthorized access to the application.

The Oxygen products incorporate Shiro as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-40664

Severity: Critical

CVSS Score: 9.8

The Shiro third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-40664 vulnerability description. However, the Oxygen products doesn't call the vulnerable code. For that reason, Oxygen XML products are not affected by this vulnerability.

Starting with Oxygen XML Web Author v25.0.0.1 build 2022111708 Shiro library was updated to a newer version that fixes this vulnerability.

Abstract

If Apache Tomcat 8.5.0 to 8.5.52, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

The Oxygen products incorporate Apache Tomcat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-42252

Severity: High

CVSS Score: 7.5

The Apache Tomcat third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-42252 vulnerability description. However, the Oxygen products doesn't set rejectIllegalHeader to false. For that reason Oxygen XML products are not affected by this vulnerability.

Starting with Oxygen Feedback v2.1.4 build 2022111716 Apache Tomcat library was updated to v9.0.68 which fixes this vulnerability.

Starting with Oxygen XML Web Author v25.0.0.2 build 2023020615 Apache Tomcat library was updated to v9.0.69 which fixes this vulnerability.

Abstract

Spring Security, versions 5.7 prior to 5.7.5, and 5.6 prior to 5.6.9, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can modify a request initiated by the Client (via the browser) to the Authorization Server which can lead to a privilege escalation on the subsequent approval. This scenario can happen if the Authorization Server responds with an OAuth2 Access Token Response containing an empty scope list (per RFC 6749, Section 5.1) on the subsequent request to the token endpoint to obtain the access token.

The Oxygen products incorporate Spring Security as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-31690

Severity: High

CVSS Score: 8.1

The Spring Security third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-31690 vulnerability description. However, the Access Token returned by Oxygen Feedback does not contain an empty scope list. For that reason, Oxygen XML products are not affected by this vulnerability

Starting with Oxygen Feedback v2.1.4 build 2022111716 Spring Security library was updated to v5.7.5 which fixes this vulnerability.

Starting with Oxygen Content Fusion v5.0.2 build 2022121305 Spring Security library was updated to v5.7.5 which fixes this vulnerability.

Abstract

Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types. Specifically, an application is vulnerable when all of the following are true: The application expects that Spring Security applies security to forward and include dispatcher types. The application uses the AuthorizationFilter either manually or via the authorizeHttpRequests() method. The application configures the FilterChainProxy to apply to forward and/or include requests (e.g. spring.security.filter.dispatcher-types = request, error, async, forward, include). The application may forward or include the request to a higher privilege-secured endpoint.The application configures Spring Security to apply to every dispatcher type via authorizeHttpRequests().shouldFilterAllDispatcherTypes(true)

The Oxygen products incorporate Spring Security as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-31692

Severity: Critical

CVSS Score: 9.8

The Spring Security third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-31692 vulnerability description. However, the Oxygen products are not configured as described in the vulnerability description. For that reason, Oxygen XML products are not affected by this vulnerability

Starting with Oxygen Feedback v2.1.4 build 2022111716 Spring Security library was updated to v5.7.5 which fixes this vulnerability.

Abstract

The loader-utils package is vulnerable to Prototype Pollution. The parseQuery() function in the parseQuery.js file allows for modification of object prototypes via the name variable. A remote attacker can exploit this vulnerability to override the behavior of object prototypes, which may result in a Denial of Service (DoS) condition, Remote Code Execution (RCE), or other unexpected behavior.

The Oxygen products incorporate loader-utils as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-37601

Severity: Critical

CVSS Score: 9.8

The loader-utils third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-37601 vulnerability description. However, Oxygen XML products does not use server-side JavaScript to handle JSON content received as payload on REST requests. For that reason, Oxygen XML products are not affected by this vulnerability.

Starting with Oxygen Feedback v2.1.4 build 2022111716 loader-utils library was updated to fix this vulnerability.

Abstract

A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.

The Oxygen products incorporate Batik as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-41704

Severity: High

CVSS Score: 7.5

The Batik third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-41704 vulnerability description.

Starting with Oxygen XML Author v24.1 build 2022110312 Batik library was updated to v1.16 which fixes this vulnerability.

Starting with Oxygen XML Developer v24.1 build 2022110312 Batik library was updated to v1.16 which fixes this vulnerability.

Starting with Oxygen XML Editor v24.1 build 2022110312 Batik library was updated to v1.16 which fixes this vulnerability.

Starting with Oxygen XML Author v25.0 build 2022110706 Batik library was updated to v1.16 which fixes this vulnerability.

Starting with Oxygen XML Developer v25.0 build 2022110706 Batik library was updated to v1.16 which fixes this vulnerability.

Starting with Oxygen XML Editor v25.0 build 2022110706 Batik library was updated to v1.16 which fixes this vulnerability.

Starting with Oxygen XML Web Author v24.1.0.2 build 2022110410 Batik library was updated to v1.16 which fixes this vulnerability.

Starting with Oxygen XML Web Author v25.0.0.1 build 2022111708 batik-bridge library was removed, which fixes this vulnerability.

Abstract

A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.

The Oxygen products incorporate Batik as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-42890

Severity: High

CVSS Score: 7.5

The Batik third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-42890 vulnerability description.

Starting with Oxygen XML Author v24.1 build 2022110312 Batik library was updated to v1.16 which fixes this vulnerability.

Starting with Oxygen XML Developer v24.1 build 2022110312 Batik library was updated to v1.16 which fixes this vulnerability.

Starting with Oxygen XML Editor v24.1 build 2022110312 Batik library was updated to v1.16 which fixes this vulnerability.

Starting with Oxygen XML Author v25.0 build 2022110706 Batik library was updated to v1.16 which fixes this vulnerability.

Starting with Oxygen XML Developer v25.0 build 2022110706 Batik library was updated to v1.16 which fixes this vulnerability.

Starting with Oxygen XML Editor v25.0 build 2022110706 Batik library was updated to v1.16 which fixes this vulnerability.

Abstract

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

The Oxygen products incorporate Apache Xerces Java (XercesJ) as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-23437

Severity: Medium

CVSS Score: 6.5

The Apache Xerces Java (XercesJ) third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-23437 vulnerability description.

Starting with Oxygen XML Author v24.1 build 2022030807 Apache Xerces Java (XercesJ) library was updated to v2.12.2 which fixes this vulnerability.

Starting with Oxygen XML Developer v24.1 build 2022030807 Apache Xerces Java (XercesJ) library was updated to v2.12.2 which fixes this vulnerability.

Starting with Oxygen XML Editor v24.1 build 2022030807 Apache Xerces Java (XercesJ) library was updated to v2.12.2 which fixes this vulnerability.

Abstract

An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP. This issue affects Apache SOAP version 2.2 and later versions.

The Oxygen products incorporate Apache SOAP as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-40705

Severity: High

CVSS Score: 7.5

The Apache SOAP third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-40705 vulnerability description. However, Oxygen products does not use RPCRouterServlet class. For that reason, our products are not affected by this vulnerability.

Abstract

Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.

Detail

Severity: Critical

CVSS Score: 9.8

The Apache Shiro third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-32532 vulnerability description. However, Oxygen XML products does not use RegExPatternMatcher. For that reason, we are rated the severity level for our products as Low.

Starting with Oxygen Content Fusion v5.0.1 build 2022092005 Apache Shiro was updated to version 1.9.1, which includes a fix for CVE-2022-325332.

Starting with Oxygen XML Web Author v25.0.0.1 build 2022070522 Apache Shiro was updated to version 1.9.1, which includes a fix for CVE-2022-325332.

Abstract

This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vulnerability of the regex is mainly due to the sub-pattern (s|/*.*?*/)*

The Oxygen products incorporate codemirror as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2020-7760

Severity: High

CVSS Score: 7.5

The codemirror third-party library used by Oxygen XML products is an affected version mentioned in CVE-2020-7760 vulnerability description. However, Oxygen products does not load the vulnerable file (javascript.js). For that reason, we have rated the severity level for our products as Low.

Starting with Oxygen XML Web Author v25.0 codemirror library was updated to v5.65.8 which fixes this vulnerability.

Abstract

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected.

The Oxygen products incorporate Apache Xalan Java as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-34169

Severity: High

CVSS Score: 7.5

The Apache Xalan Java third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-34169 vulnerability description. However, Oxygen XML products does not use Apache Xalan Java to generate Java classes from XSLT. For that reason, our products are not affected by this vulnerability.

Abstract

The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.

The Oxygen products incorporate Apache Tomcat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-29885

Severity: High

CVSS Score: 7.5

The Apache Tomcat third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-29885 vulnerability description.

Starting with Oxygen Content Fusion v5.0 Apache Tomcat library was updated to a non-vulnerable version.

Abstract

The nekohtml package is vulnerable to Denial of Service due to Uncontrolled Resource Consumption. The scanPI() function in the HTMLScanner class mishandles the parsing of a processing instruction while scanning a document. An attacker can leverage this behavior using a specially-crafted HTML composition, which has a ? or / character at the end of the processed instruction, to cause an infinite loop that appends a byte in a buffer in every cycle, causing a java.lang.OutOfMemoryError exception.

The Oxygen products incorporate nekohtml as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-24839

Severity: High

CVSS Score: 7.5

The nekohtml third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-24839 vulnerability description.

Starting with Oxygen XML Web Author v24.1 build 2022070522 nekohtml library was updated to a non-vulnerable version.

Starting with Oxygen XML Author v24.1 build 2022062007 nekohtml library was updated to a non-vulnerable version.

Starting with Oxygen XML Developer v24.1 build 2022062007 nekohtml library was updated to a non-vulnerable version.

Starting with Oxygen XML Editor v24.1 build 2022062007 nekohtml library was updated to a non-vulnerable version.

Starting with Oxygen PDF Chemistry v24.1 build 2022062023 nekohtml library was removed.

Starting with Oxygen Content Fusion v5.0 build 2022092005 nekohtml library was updated to a non-vulnerable version.

Abstract

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

The Oxygen products incorporate Async as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-43138

Severity: High

CVSS Score: 7.8

The Async third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-43138 vulnerability description.

Starting with Oxygen Content Fusion v5.0 Async library was updated to v3.2.2 which fixes this vulnerability.

Abstract

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

The Oxygen products incorporate Moment.js as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-24785

Severity: High

CVSS Score: 7.5

The Moment.js third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-24785 vulnerability description. However, Oxygen products does not set any locale/lang for Moment.js library. For that reason, we have rated the severity level for our products as low.

Starting with Oxygen Content Fusion v5.0 Moment.js library was updated to v3.2.2 which fixes this vulnerability.

Abstract

The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.

The Oxygen products incorporate Moment.js as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2017-18214

Severity: High

CVSS Score: 7.5

The Moment.js third-party library used by Oxygen XML products is an affected version mentioned in CVE-2017-18214 vulnerability description. However, Oxygen products does not set any user provided date string. For that reason, our products are not affected by this vulnerability.

Abstract

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

The Oxygen products incorporate Spring Framework as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2018-11040

Severity: High

CVSS Score: 7.5

The Spring Framework third-party library used by Oxygen XML products is an affected version mentioned in CVE-2018-11040 vulnerability description. However, Oxygen Feedback does not use MappingJackson2JsonView nor enable JSONP support through AbstractJsonpResponseBodyAdvice. For that reason, we have rated the severity level for our products as low.

Starting with Oxygen Feedback v2.1 build 2022071516 Spring Framework library was updated to a non-vulnerable version.

Abstract

The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.

The Oxygen products incorporate Apache Tomcat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-23181

Severity: High

CVSS Score: 7.0

The Apache Tomcat third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-23181 vulnerability description. However, the Oxygen products are not configured to persist sessions using the FileStore. For that reason, we have rated the severity level for our products as low.

Starting with Oxygen Feedback v2.1 Apache Tomcat library was updated to v9.0.58 which fixes this vulnerability.

Starting with Oxygen XML Web Author v24.1.0 Apache Tomcat library was updated to v9.0.59 which fixes this vulnerability.

Abstract

In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.

Detail

CVE-2022-22978

Severity: Critical

CVSS Score: 9.8

The Spring Security third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-22978 vulnerability description. However, Oxygen XML products do not invoke the RegexRequestMatcher method. For that reason, we have rated the severity level for our products as low.

Abstract

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes `runc exec --cap` behavior such that the additional capabilities granted to the process being executed (as specified via `--cap` arguments) do not include inheritable capabilities. In addition, `runc spec` is changed to not set any inheritable capabilities in the created example OCI spec (`config.json`) file.

Detail

CVE-2022-29162

Severity: High

CVSS Score: 7.8

The runc third-party library used by Oxygen Content Fusion product is an affected version mentioned in CVE-2022-29162 vulnerability description.

Starting with Oxygen Content Fusion v5.0 build 2022092005 runc has been removed to fix this vulnerability.

Abstract

CVE-2021-42550.xml

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.

Detail

CVE-2021-42550

Severity: Low

CVSS Score: 6.6

The Apache Log4j2 third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-42550 vulnerability description. However, the vulnerability can be only eploited by modifying the logging configuration by a trusted party. For that reason, we are rated the severity level for our products as low.

Abstract

PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on the ResultSet.

Detail

CVE-2022-31197

Severity: High

CVSS Score: 8.0

The PostgreSQL JDBC Driver third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-31197 vulnerability description. However, Oxygen XML products do not invoke the `ResultSet.refreshRow()` method. For that reason, we have rated the severity level for our products as low.

Starting with Oxygen Feedback version 2.1.3 build 2022091217, the PostgreSQL JDBC Driver was updated to version 42.4.1, which includes a fix for CVE-2022-31197.

Starting with Oxygen Content Fusion 5.0.1 build 2022092005, the PostgreSQL JDBC Driver was updated to version 42.4.1, which includes a fix for CVE-2022-31197.

Abstract

A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed.

The Oxygen products incorporate resteasy as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2020-1695

Severity: High

CVSS Score: 7.5

The resteasy third-party library used by Oxygen XML products is an affected version mentioned in CVE-2020-1695 vulnerability description.

Starting with Oxygen Web Author v24.1 build 2022070522 resteasy library was updated to version v4.6.0.Final which fixes this vulnerability.

Starting with Oxygen Content Fusion v5.0 build 2022092005 reasteasy library was updated to version v4.7.6 which fixes this vulnerability.

Abstract

In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties.

The Oxygen Content Fusion incorporates postgresql as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-26520

Severity: High

CVSS Score: 7.0

The postgresql third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-26520 vulnerability description. However, the Oxygen products are not configured to allow untrusted users to supply JDBC URLs or their properties. For that reason, we have rated the severity level for our products as low.

Starting with Oxygen Content Fusion v5.0 postgresql library was updated to v42.3.4 which fixes this vulnerability.

Abstract

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

The jackson-databind package is vulnerable to a Denial of Service (DoS) attack. The deserialize() method in the UntypedObjectDeserializer and UntypedObjectDeserializer$Vanilla classes fails to restrict recursion when deserializing nested untyped or generic objects. A remote attacker who can supply data to be deserialized by an affected application can exploit this vulnerability to cause the JVM to consume all available memory, resulting in a StackOverflow exception and ultimately a DoS condition.

The Oxygen products incorporate jackson-databind as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2020-36518

Severity: High

CVSS Score: 7.5

The jackson-databind third-party library used by Oxygen XML products is an affected version mentioned in CVE-2020-36518 vulnerability description.

Starting with Oxygen Web Author v24.1.1 jackson-databind library was updated to a non-vulnerable version.

Starting with Oxygen Content Fusion v4.1 build 2022040914 jackson-databind library was updated to a non-vulnerable version.

Abstract

Vulnerabilities in Ubuntu server 20.04 used by Oxygen Content Fusion.

Syncro Soft engineers have addressed the following CVEs.

Vulnerabilities details

CVE-2022-1015

Severity: Critical

CVSS Score: 9.8

Description: An out of bounds access was discovered in nf_tables expression evaluation due to validation of user register indices. It leads to local privilege escalation, for example by overwriting a stack return address OOB with a crafted nft_expr_payload.

CVE-2021-3653

Severity: Critical

CVSS Score: 8.8

Description: A flaw was found in the KVM’s AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the “int_ctl” field, this issue could allow a malicious L1 to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to 5.14-rc7.

CVE-2021-3656

Severity: Critical

CVSS Score: 8.8

Description: A flaw was found in the KVM’s AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the “virt_ext” field, this issue could allow a malicious L1 to disable both VMLOAD/VMSAVE intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape.

CVE-2022-0185

Severity: Critical

CVSS Score: 8.4

Description: A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system.

CVE-2021-3492

Severity: High

CVSS Score: 7.8

Description: Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (kernel memory exhaustion) or gain privileges via executing arbitrary code. AKA ZDI-CAN-13562.

CVE-2021-3493

Severity: High

CVSS Score: 7.8

Description: The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could use this to gain elevated privileges.

CVE-2021-22555

Severity: High

CVSS Score: 7.8

Description: A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space.

CVE-2021-27365

Severity: High

CVSS Score: 7.8

Description: An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message.

CVE-2021-29154

Severity: High

CVSS Score: 7.8

Description: BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c.

CVE-2021-33909

Severity: High

CVSS Score: 7.8

Description: fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05.

CVE-2021-3444

Severity: High

CVSS Score: 7.8

Description: The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution.

CVE-2022-0492

Severity: High

CVSS Score: 7.8

Description: A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.

CVE-2022-25636

Severity: High

CVSS Score: 7.8

Description: net/netfilter/nf_dup_netdev.c in the Linux kernel 5.4 through 5.6.10 allows local users to gain privileges because of a heap out-of-bounds write. This is related to nf_tables_offload.

CVE-2022-1055

Severity: High

CVSS Score: 7.8

Description: A use-after-free exists in the Linux Kernel in tc_new_tfilter that could allow a local attacker to gain privilege escalation. The exploit requires unprivileged user namespaces.

CVE-2021-3600

Severity: High

CVSS Score: 7.8

Description: It was discovered that the eBPF implementation in the Linux kernel did not properly track bounds information for 32 bit registers when performing div and mod operations. A local attacker could use this to possibly execute arbitrary code.

CVE-2021-3609

Severity: High

CVSS Score: 7.0

Description: A flaw was found in the CAN BCM networking protocol in the Linux kernel, where a local attacker can abuse a flaw in the CAN subsystem to corrupt memory, crash the system or escalate privileges. This race condition in net/can/bcm.c in the Linux kernel allows for local privilege escalation to root.

Starting with Oxygen Content Fusion version 4.1.6 build number 2022040914, the affected packages were updated and all vulnerabilities were fixed.

Abstract

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

The Oxygen products incorporate Minimist as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-44906

Severity: Critical

CVSS Score: 9.8

The Minimist third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-44906 vulnerability description. However, the Oxygen Feedback product does not pass data from untrusted sources to this library. For that reason, we have rated the severity level for our products as low.

Abstract

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

The Oxygen products incorporate Spring MVC as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-22965

Severity: Critical

CVSS Score: 9.8

The Spring MVC third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-22965 vulnerability description. However, the Oxygen Feedback product is not available as a WAR file. For that reason, our products are not affected by this vulnerability.

Abstract

The jackson-databind package is vulnerable to a Denial of Service (DoS) attack. The readExternal() method in the NodeSerialization class fails to restrict allocation when JsonNode objects are serialized/deserialized by the JDK.

The Oxygen XML products incorporate jackson-databind as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

SYNC-2022-1003

Severity: High

CVSS Score: 7.5

The jackson-databind third-party library used by Oxygen XML products is an affected version mentioned in SYNC-2022-1003 vulnerability description. However, this library is not used to serialize/deserialize JsonNode objects from untrusted sources. For that reason, we have rated the severity level for our products as low.

Abstract

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

The Oxygen License Server product incorporates Eclipse Jetty as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-28165

Severity: High

CVSS Score: 7.5

The Eclipse Jetty package used by Oxygen License Server product is an affected version mentioned in CVE-2021-28165 vulnerability description.

Starting with Oxygen License Server version 24.1, the Eclipse Jetty was updated to version 9.4.45.v20220203, which includes a fix for CVE-2021-41303.

Abstract

pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties.

The Oxygen Content Fusion product incorporates shelljs as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-21724

Severity: Critical

CVSS Score: 9.8

The postgresql package used by Oxygen Content Fusion product is an affected version mentioned in CVE-2022-21724 vulnerability description. However, the configuration files cannot be changed by untrusted users. For that reason, we have rated the severity level for our products as low.

Abstract

The shelljs package is vulnerable due to Improper Privilege Management. The execSync() function in the exec.js file does not properly ensure if a user is authorized to read and write to the paramFiles, stdoutFile and stderrFile before allowing the user to access them. A local attacker with low privileges can exploit this behavior to obtain sensitive information from the aforementioned files. The attacker can also create a stdoutFile or stderrFile first, which will crash the exec process when it tries to write to these files, resulting in a Denial of Service (DoS) condition.

The Oxygen Content Fusion product incorporates shelljs as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-0144

Severity: High

CVSS Score: 7.1

The shelljs third-party library used by Oxygen Content Fusion product is an affected version mentioned in CVE-2022-0144 vulnerability description. However, the shelljs library is used only for backup restore and it is executed into an isolated container that is not available to untrusted users. For that reason, we have rated the severity level for our products as low.

Abstract

The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.

The Oxygen XML products incorporate H2 database as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-42392

Severity: Critical

CVSS Score: 9.8

The H2 database third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-42392 vulnerability description. However, the H2 console is not available for untrusted users. For that reason, we have rated the severity level for our products as low.

Abstract

The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.

The Oxygen License Server product incorporates com.h2database:h2 as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-23463

Severity: Critical

CVSS Score: 9.1

The com.h2database:h2 third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-23463 vulnerability description. However, this library is not used to parse XML data from untrusted sources. For that reason, we have rated the severity level for our products as low.

Abstract

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

The Oxygen products incorporate FasterXML jackson-databind as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2018-7489

Severity: Critical

CVSS Score: 9.8

The FarsterXML jackson-databind third-party library used by Oxygen XML products is an affected version mentioned in CVE-2018-7489 vulnerability description. However, c3p0 libraries are not available in the Oxygen XML products classpath. For that reason, we have rated the severity level for our products as low.

Abstract

A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.

The Oxygen products incorporate Jackson as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2019-10172

Severity: High

CVSS Score: 7.5

The Jackson third-party library used by Oxygen XML products is an affected version mentioned in CVE-2019-10172 vulnerability description.

Starting with Oxygen XML Web Author v23.1 Jackson library was updated to v2.11.0 which fixes this vulnerability.

Abstract

Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. Users should upgrade to 2.6 or later.

The Oxygen PDF Chemistry product incorporates the Apache XmlGraphics Commons 2.4 as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2020-11988

Severity: High

CVSS Score: 8.2

The Apache XmlGraphics Commons third-party library used by Oxygen PDF Chemistry product is an affected version mentioned in CVE-2020-11988 vulnerability description.

Starting with Oxygen PDF Chemistry v22.1 build 2021121712, the Apache XmlGraphics Commons library was updated to version 2.6 which fixes this vulnerability.

Abstract

Redis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. This can result with heap corruption and potentially remote code execution. This problem exists in all versions of Redis with Lua scripting support, starting from 2.6. The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14. For users unable to update an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

The Oxygen XML products incorporate Redis as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-32626

Severity: High

CVSS Score: 8.8

The Redis third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-32626 vulnerability description. However, execution of Lua scripts is disabled in our products. For that reason, we have rated the severity level for our products as low.

Abstract

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

The Oxygen XML products incorporate the Apache Log4j2 as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-44832

Severity: Medium

CVSS Score: 6.6

The Apache Log4j2 third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-44832 vulnerability description. However, our default configuration does not use JDBC Appender with a data source referencing a JNDI URI and can be only exploited by modifying the logging configuration by a trusted party. For that reason, we have rated the severity level for our products as low.

Abstract

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

The Oxygen XML products incorporate the Apache Log4j2 as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-4104

Severity: High

CVSS Score: 8.1

The Apache Log4j third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-4104 vulnerability description. However, our default configuration does not use JSM Appender and the vulnerability can be only exploited by modifying the logging configuration by a trusted party. For that reason, we have rated the severity level for our products as low.

Abstract

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.

The Oxygen XML products incorporate the Apache Log4j2 as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-45105

Severity: High

CVSS Score: 7.5

The Apache Log4j2 third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-45105 vulnerability description. However, our default configuration does not change the Pattern Layout and the vulnerability can be only exploited by modifying the logging configuration by a trusted party. For that reason, we have rated the severity level for our products as low.

Abstract

Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

The Oxygen PDF Chemistry product incorporates the Apache Batik 1.13 as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2020-11987

Severity: High

CVSS Score: 8.2

The Apache Batik third-party library used by Oxygen PDF Chemistry product is an affected version mentioned in CVE-2020-11987 vulnerability description. However, NodePickerPanel class is not used in Oxygen PDF Chemistry. Therefore Oxygen PDF Chemistry product is not affected by CVE-2020-11987.

Abstract

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability.

The Oxygen XML products incorporate the Apache Log4j2 as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-45046

Severity: Critical

CVSS Score: 9.0

The Apache Log4j2 third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-45046 vulnerability description. However, our default configuration doe not change the Pattern Layout and the vulnerability can be only exploited by modifying the logging configuration by a trusted party. For that reason, we have rated the severity level for our products as low.

Abstract

Apache Log4j2 <= 2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

The Oxygen XML products incorporate the Apache Log4j2 as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

See also https://www.oxygenxml.com/oxygen_xml_vulnerability_analysis_faq.html for more information.

Detail

CVE-2021-44228

Severity: Critical

CVSS Score: 10

The Apache Log4j2 third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-44228 vulnerability description. However, we patched our public services against this vulnerability.

Abstract

The logback-core package is vulnerable to XML eXternal Entity (XXE) attacks. An attacker can exploit this vulnerability by supplying XML data with a Document Type Definition (DTD) that contains malicious external entity references.

The Oxygen Feedback product incorporates the logback-core as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

SYNC-2021-2610

Severity: High

CVSS Score: 8.6

The logback-core third-party library used by Oxygen Feedback product is an affected version mentioned in SYNC-2021-2610 vulnerability description. However, Oxygen Feedback does not accept XML data as user input. Therefore Oxygen Feedback product is not impacted by SYNC-2021-2610.

Starting with Oxygen Feedback version 1.4.4, the logback-core was updated to version 1.2.6, which includes a fix for SYNC-2021-2610.

Abstract

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack.

The Oxygen Feedback product incorporates the jsoup as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-37714

Severity: High

CVSS Score: 7.5

The jsoup third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2021-37714 vulnerability description.

Starting with Oxygen Feedback version 1.4.4, the jsoup was updated to version 1.14.2, which includes a fix for CVE-2021-37714.

Abstract

In the thymeleaf-spring5:3.0.12 component, thymeleaf combined with specific scenarios in template injection may lead to remote code execution.

The Oxygen XML products incorporate the thymeleaf-spring as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-43466

Severity: Critical

CVSS Score: 9.8

The thymeleaf-spring third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2021-43466 vulnerability description. However, the Oxygen XML software products doesn't render templetes supplied by users. Therefore Oxygen XML software products are not impacted by CVE-2021-43466.

Starting with Oxygen Feedback version 1.4.4, the thymeleaf-spring package was updated to version 3.0.13, which includes a fix for this vulnerability.

Abstract

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

The Oxygen XML products incorporates the Netty as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-37137

Severity: High

CVSS Score: 7.5

The Netty third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2021-37137 vulnerability description. However, the Oxygen XML software products doesn't use Netty to decompress user-supplied Snappy data streams. Therefore Oxygen XML software products are not impacted by CVE-2021-37137.

Abstract

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack.

The Oxygen XML products incorporates the Netty as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-37136

Severity: High

CVSS Score: 7.5

The Netty third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2021-37136 vulnerability description. However, the Oxygen XML software products doesn't use Netty to decompress user-supplied Bzip2 data streams. Therefore Oxygen XML software products are not impacted by CVE-2021-37136.

Abstract

A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.

The Oxygen XML products incorporate the hibernate-core as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2020-25638

Severity: High

CVSS Score: 7.4

The hibernate-core third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2020-25638 vulnerability description. However, the Oxygen XML software products doesn't set hibernate.use_sql_comments to true. Therefore Oxygen XML software products are not impacted by CVE-2020-25638.

Starting with Oxygen Content Fusion version 4.1, the hibernate-core package was updated to version 5.4.24, which includes a fix for this vulnerability.

Abstract

Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.

The Oxygen XML products incorporates the Apache Shiro as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2020-17523

Severity: Critical

CVSS Score: 9.8

The Apache Shiro third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2020-17523 vulnerability description. However, Spring is not included in Oxygen XML software products. Therefore Oxygen XML software products are not impacted by CVE-2020-17523.

Starting with Oxygen Content Fusion version 4.1, the Apache Shiro was updated to version 1.8, which includes a fix for CVE-2020-17523.

Abstract

If a user of Apache Commons Email (typically an application programmer) passes unvalidated input as the so-called "Bounce Address", and that input contains line-breaks, then the email details (recipients, contents, etc.) might be manipulated.

The Oxygen XML products incorporates the Apache Commons Email as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2018-1294

Severity: high

CVSS Score: 7.5

The Apache Commons Email third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2018-1294 vulnerability description. However, the Oxygen XML software products validate input before being passed to Email.setBounceAddress(String). Therefore Oxygen XML software products are not impacted by CVE-2018-1294.

Starting with Oxygen Content Fusion version 4.1, the Apache Commons Email was updated to version 1.5, which includes a fix for CVE-2018-1294.

Abstract

When a call-site passes a subject for an email that contains line-breaks in Apache Commons Email 1.0 through 1.4, the caller can add arbitrary SMTP headers.

The Oxygen XML products incorporates the Apache Commons Email as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2017-9801

Severity: high

CVSS Score: 7.5

The Apache Commons Email third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2017-9801 vulnerability description.

Starting with Oxygen Content Fusion version 4.1, the Apache Commons Email was updated to version 1.5, which includes a fix for CVE-2017-9801.

Abstract

SnakeYAML is vulnerable to a denial of service, caused by an entity expansion in Alias feature during a load operation.

The Oxygen XML products incorporates the SnakeYAML as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2017-18640

Severity: high

CVSS Score: 7.5

The SnakeYAML third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2017-18640 vulnerability description. However, the Oxygen XML software products use SnakeYAML only to generate YAML files, not to parse YAML files. Therefore Oxygen XML software products are not impacted by CVE-2017-18640.

Starting with Oxygen Content Fusion version 4.1, the SnakeYAML library was removed.

Abstract

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

The Oxygen Feedback product incorporates the Apache Tomcat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-42340

Severity: high

CVSS Score: 7.5

The Apache Tomcat 9.0.52 third-party library used by Oxygen Feedback products is an affected version mentioned in CVE-2021-42340 vulnerability description.

Starting with Oxygen Feedback version 1.4.4, the Apache Tomcat was updated to version 9.0.54, which includes a fix for CVE-2021-42340.

Starting with Oxygen XML Web Author version 23.1 build 2021112409, the Apache Tomcat was updated to version 9.0.55, which includes a fix for CVE-2021-42340.

Abstract

All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the secureValidation property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

The Apache Santuario - XML Security package is vulnerable to Information Exposure. A remote attacker can exploit this behavior to extract any local .xml files during an XPath transform using the RetrievalMethod element. This would result in the attacker gaining access to otherwise restricted information on an application using this package to implement XML security standards.

The Oxygen XML products incorporates the Apache Santuario - XML Security as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-40690

Severity: High

CVSS Score: 7.5

The Apache Santuario - XML Security third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2021-40690 vulnerability description.

Starting with Oxygen XML version 24.0, the Apache Santuario - XML Security was updated to version 2.1.7, which includes a fix for CVE-2021-40690.

Abstract

Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass.

The Oxygen XML Web Author products incorporates the Apache Shiro as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-41303

Severity: Critical

CVSS Score: 9.8

The Apache Shiro third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2021-41303 vulnerability description. However, Spring Boot is not included in Oxygen XML software products. Therefore Oxygen XML software products are not impacted by CVE-2021-41303.

Starting with Oxygen XML Web Author version 24.0, the Apache Shiro was updated to version 1.8.0, which includes a fix for CVE-2021-41303.

Abstract

Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.

The Apache tomcat-coyote package is vulnerable to a Denial of Service (DoS) attack. A remote attacker can exploit this vulnerability by issuing a maliciously crafted packet in order to cause an infinite loop and ultimately a DoS condition.

The Oxygen XML products incorporates the Apache Tomcat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-41079

Severity: High

CVSS Score: 7.5

The Apache Tomcat third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2021-41079 vulnerability description.

Starting with Oxygen XML Web Author version 24.0, the Apache Tomcat was updated to version 9.0.53, which includes a fix for CVE-2021-41079.

Abstract

The logback-core package is vulnerable to XML eXternal Entity (XXE) attacks. The buildSaxParser() method in the SaxEventRecorder class processes malicious external entities by default due to an unsafe XML parser configuration.

The Oxygen XML products incorporates the logback-core as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

SYNC-2021-2809

Severity: Medium

CVSS Score: 5.1

The logback-core third-party library used by Oxygen XML software products is an affected version.

Starting with Oxygen 24.0, the logback-core was updated to version 1.2.6, which fixes this vulnerability.

Abstract

There is a JavaScript injection vulnerability in WebHelp output. Using XSS attack, an attacker may inject Javascript code by typing specific expression in search field. This exploit requires a user to be tricked into executing malicious code, by searching for specific text.

Detail

SYNC-2021-072301

Severity: Medium

CVSS Score: 5.5

Oxygen XML WebHelp output is vulnerable to cross-site scripting. This vulnerability allows users to inject arbitrary JavaScript code in the WebHelp output thus altering the intended functionality.

To fix this vulnerability, you need to:

• Update your products to a non-vulnerable version.
• Replace the WebHelp outputs that were previously generated using one of the affected products with freshly generated ones.

The vulnerability has been fixed in version 22.1 starting with build 2021082013 and version 23.1 starting with build 2021082307.

Abstract

International Components for Unicode (ICU) for C/C++ 63.1 has an integer overflow in number::impl::DecimalQuantity::toScientificString() in i18n/number_decimalquantity.cpp.

Detail

CVE-2018-18928

Severity: Critical

CVSS Score: 9.8

The International Components for Unicode (ICU) package used by Oxygen XML software products is an affected version mentioned in CVE-2018-18928 vulnerability description.

Starting with version 23.1 build 2021082307, the International Components for Unicode (ICU) package was updated to version 69.1, which includes a fix for this vulnerability.

Abstract

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

Detail

CVE-2021-36090

Severity: High

CVSS Score: 7.5

The Apache Commons Compress package used by Oxygen XML software products is an affected version mentioned in
CVE-2021-36090 vulnerability description.

Starting with version 23.1 build 2021082307, the Apache Commons Compress package was updated to version 1.21, which includes a fix for this vulnerability.

Abstract

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

Detail

CVE-2021-35517

Severity: High

CVSS Score: 7.5

The Apache Commons Compress package used by Oxygen XML software products is an affected version mentioned in
CVE-2021-35517 vulnerability description.

Starting with version 23.1 build 2021082307, the Apache Commons Compress package was updated to version 1.21, which includes a fix for this vulnerability.

Abstract

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Detail

CVE-2021-35516

Severity: High

CVSS Score: 7.5

The Apache Commons Compress package used by Oxygen XML software products is an affected version mentioned in
CVE-2021-35516 vulnerability description.

Starting with version 23.1 build 2021082307, the Apache Commons Compress package was updated to version 1.21, which includes a fix for this vulnerability.

Abstract

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress sevenz package.

Detail

CVE-2021-35515

Severity: High

CVSS Score: 7.5

The Apache Commons Compress package used by Oxygen XML software products is an affected version mentioned in
CVE-2021-35515 vulnerability description.

Starting with version 23.1 build 2021082307, the Apache Commons Compress package was updated to version 1.21, which includes a fix for this vulnerability.

Abstract

basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 has a Memory Allocation with an Excessive Size Value (involving strdupa and alloca for a pathname controlled by a local attacker) that results in an operating system crash.

Detail

CVE-2021-33910

Severity: Medium

CVSS Score: 5.5

The systemd package used by Oxygen Content Fusion software product is an affected version mentioned in CVE-2021-33910 vulnerability description.

Starting with version 4.1.1 build 2021080611, the systemd package was updated to version 245.4-4ubuntu3.11, which includes a fix for CVE-2021-33910.

Abstract

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

The Oxygen Content Fusion product incorporates Lodash as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-23337

Severity: High

CVSS Score: 7.2

The Lodash third-party library used by Oxygen Content Fusion product is an affected version mentioned in CVE-2021-23337 vulnerability description.

Starting with Content Fusion version 4.1 build 2021070912, the Lodash third-party was updated to version 4.17.21, which fixes the CVE-2021-23337.

Abstract

The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494.

The tomcat-catalina package is vulnerable to Remote Code Execution (RCE). The file() method in the FileStore class fails to sufficiently enforce the current FileStore directory when creating a File object, allowing Tomcat instances with certain configurations to deserialize objects from files outside of the file store. An attacker with knowledge of the FileStore location and control of the file passed into the FileStore object as input may submit a maliciously crafted request to trigger arbitrary code execution on affected Tomcat servers.

The Oxygen Feedback product incorporates the Apache Tomcat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-25329

Severity: High

CVSS Score: 7.0

The Apache Tomcat 9.0.41 third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2021-25329 vulnerability description.

Starting with Oxygen Feedback 1.4.1, the Apache Tomcat was updated to version 9.0.44, which includes a fix for CVE-2021-25329.

Abstract

When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.

The tomcat-coyote package is vulnerable to Information Exposure. The process method in AbstractProtocol.class does not properly handle HTTP/2 Cleartext (h2c) connections between multiple clients, responding with the request headers and partial body of one connection to another. An attacker can exploit this to gain access to sensitive information meant for a different client.

The Oxygen Feedback product incorporates the Apache Tomcat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-25122

Severity: High

CVSS Score: 7.5

The Apache Tomcat 9.0.41 third-party library used by Oxygen Feedback software products is an affected version mentioned in CVE-2021-25122 vulnerability description.

Starting with Oxygen Feedback 1.4.1, the Apache Tomcat was updated to version 9.0.44, which includes a fix for CVE-2021-25122.

Abstract

Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.

The spring-security-web package is vulnerable to Improper Authorization. The saveContext() method in the HttpSessionSecurityContextRepository class and the contextChanged() method in the HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper class fail to store the HttpSession if the SecurityContext is altered more than once per request. An attacker can leverage this behavior to extend the scope of their existing privileges in order to access functionality that would otherwise be restricted.

The Oxygen Feedback product incorporates the Spring Framework as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-22112

Severity: High

CVSS Score: 8.8

The Spring Security 5.4.2 module (part of Spring Framework) third-party library used by Oxygen Feedback software products is an affected version mentioned in CVE-2021-22112 vulnerability description.

Starting with Oxygen Feedback 1.4.1, the Spring Security module was updated to version 5.4.5, which includes a fix for CVE-2021-22112.

Abstract

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

Apache Velocity is vulnerable to Code Injection. The checkObjectExecutePermission method in SecureIntrospectorImpl.class fails to deny access to java.lang.ClassLoader methods. An attacker with template modification abilities can exploit this to execute arbitrary code using a maliciously crafted template when Velocity templates are used in the context of a VelocityView.

The Oxygen product incorporates Velocity as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2020-13936

Severity: High

CVSS Score: 8.8

The Velocity third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2020-13936 vulnerability description.

Abstract

The express package is vulnerable to HTTP Response Splitting. The redirect() function in the file response.js allows Carriage Return and Line Feed (CRLF) characters in the user input, which is then injected into the HTTP response. A remote attacker can exploit the vulnerability by crafting user input with the CRLF characters which will allow the attacker to set arbitrary HTTP response headers and control the body of the HTTP response. Likewise, any sensitive information, such as authentication tokens that are returned in the HTTP response sequentially after the injection point, will be accessible to the attacker.

The Oxygen Content Fusion product incorporates the express package as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

SYNC-2021-031201

Severity: High

CVSS Score: 7.5

While there is no non-vulnerable version of this component the vulnerability was fixed at the runtime level, within NodeJS itself.

All versions of Oxygen Content Fusion are using a NodeJS version newer than 0.9.4.

Therefore, the Oxygen Content Fusion product is not affected by this vulnerability.

Abstract

Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.

The engine.io package is vulnerable to Denial of Service (DoS) attacks. The constructor in server.js declares an insecure buffer limit of 100mb for requests. A remote attacker can exploit this vulnerability by leveraging the long polling transport to submit a large POST payload that may encapsulate multiple malicious packets. Processing this payload will cause the application to consume all available resources, ultimately resulting in a DoS condition.

The Oxygen Content Fusion product incorporates the engine.io as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2020-36049

Severity: High

CVSS Score: 7.5

The engine.io package third-party library used by Oxygen Content Fusion software product is an affected version mentioned in CVE-2020-36048 vulnerability description.

Starting with Oxygen Content Fusion 4.0, we have limited the maximum size of a package to 1MB.

Therefore, the Oxygen Content Fusion product is not impacted by CVE-2020-36048.

Abstract

socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.

The socket.io-parser package is vulnerable to Denial of Service (DoS). The decodeString() function in index.js fails to parse large remote strings passed into the application for decoding due to unnecessary memory allocation leading to Uncontrolled Resource Consumption. A remote attacker with control over the input string being decoded by the library may craft a malicious string that would cause an application using the socker.io-parser package to crash.

The Oxygen Content Fusion product incorporates the socket.io-parser as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2020-36049

Severity: High

CVSS Score: 7.5

The socket.io-parser package third-party library used by Oxygen Content Fusion software product is an affected version mentioned in CVE-2020-36049 vulnerability description.

Starting with Oxygen Content Fusion 4.0, we have limited the maximum size of a package to 1MB.

Therefore, the Oxygen Content Fusion product is not impacted by CVE-2020-36049.

Abstract

Pivotal Spring Framework 4.1.4 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.

The org.springframework:spring-web package is vulnerable to deserialization of untrusted data leading to Remote Code Execution (RCE). The readRemoteInvocation method in HttpInvokerServiceExporter.class does not properly verify or restrict untrusted objects prior to deserializing them. An attacker can exploit this vulnerability by sending malicious requests containing crafted objects, which when deserialized, execute arbitrary code on the vulnerable system.

The Oxygen Feedback product incorporates the Spring Framework as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2016-1000027

Severity: High

CVSS Score: 9.8

The Spring Web 5.2.9.RELEASE module(part of Spring Framework) third-party library used by Oxygen Feedback software products is an affected version mentioned in CVE-2016-1000027 vulnerability description. However, the Oxygen Feedback product is not affected by this vulnerability because the HttpInvokerServiceExporter class is not used.

Starting with Oxygen Feedback 1.3.1, the Spring Web module was rebuilt after we removed the classes and packages (org.springframework.remoting.caucho, org.springframework.remoting.httpinvoker) where the vulnerability was reported.

Therefore, the Oxygen Feedback product is not impacted by CVE-2016-1000027.

Abstract

Apache Software Foundation (ASF) officially released a security advisory, announcing that Apache Tomcat is susceptible to a vulnerability which could allow for reading of arbitrary files on the affected system (CVE-2020-1938). The vulnerability exists in the Apache JServ Protocol (AJP) protocol, which is enabled by default and listens on all configured IP addresses. Successful exploitation of the vulnerability could allow an attacker to read arbitrary files on the affected server. This affects Apache Tomcat versions 6.x, 7.x less than 7.0.100, 8.x less than 8.5.51 and 9.x less than 9.0.31.

Multiple Oxygen XML products incorporate Apache Tomcat. This advisory was opened to address the potential impact on this vulnerability.

Detail

CVE-2020-1938

Severity: High

CVSS Score: 9.8

Apache Tomcat used by Oxygen XML software products has an affected version mentioned in CVE-2020-1938 vulnerability description. However, the AJP Connector (where the vulnerability exists) is not enabled and used in Oxygen XML software products. Therefore Oxygen XML software products are not impacted by CVE-2020-1938.

Abstract

On December 19, 2019, Apache Software Foundation (ASF) officially released a security advisory, announcing that Apache Log4j has a deserialization issue that could cause remote code execution (CVE-2019-17571). Log4j is a Java-based open-source logging tool that includes a SocketServer class which can easily accept serialized log events and deserialize them without authentication. With the aid of deserialization tools, an attacker could use this class to remotely execute arbitrary code. This affects Log4j versions up to 1.2 up to 1.2.17. A similar flaw found in Log4j 2.x has been assigned CVE-2017-5645.

Multiple Oxygen XML products incorporate Apache Log4j as third party library. This advisory was opened to address the potential impact on this third party library vulnerability.

Detail

CVE-2019-17571

Severity: High

CVSS Score: 9.8

Log4j third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2019-17571 vulnerability description. However, the Log4j capability to access remote logs through its SocketServer class (where the vulnerability exists) is not enabled and used in Oxygen XML software products. Log4j is used for basic logging within our applications. Therefore Oxygen XML software products are not impacted by CVE-2019-17571.

Abstract

The handling of XML documents in Oxygen XML Editor/Author/Developer is vulnerable to attacks based on XML External Entities (XXE). This applies only to documents that contain embedded DTDs and Entity declarations.

Detail

SYNC-2019-111401

Severity: Medium

CVSS Score: 6.5

This is a medium-severity issue. Because the embedded XML parser does not offer enough control over the location of files it opens, this XXE vulnerability allows execution of specially crafted XML files. Thus, the attacker can read files that are accessible to the Oxygen XML process currently running. In order to be successful, the attacker should have very good knowledge of the files location in your file system to be able to access the information stored on your computer.