Security Advisories

To report a technical security vulnerability related to our products, kindly provide the details via email to . Alternatively, you can refer to the following section for comprehensive information: https://www.oxygenxml.com/security/#reporting-a-new-vulnerability

Syncro Soft uses Security Advisories to communicate security information to Syncro Soft customers regarding security vulnerabilities.

This section contains all recent security advisories that were issued by Syncro Soft. To protect the security of our customers, we don't publish a security advisory until the vulnerability has been fully investigated and a patch or update is available that resolves the issue.

These posts by the Syncro Soft security team are also sent to the security announcements email list and reference to them may be included in the release notes. Get notified of Syncro Soft releases and security advisories by registering to security announcements email list below:

Advisory NumberSeverityStatusAffected ProductsLast Updated
CVE-2024-1597

Abstract

pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected.

The Oxygen products incorporate pgjdbc as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Abstract

pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected.

The Oxygen products incorporate pgjdbc as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

NoneResolved Oxygen Content Fusion 6.1.1 and older
Oxygen Feedback 4.1 and older
2024-04-10 01:10:00
CVE-2024-23672

Abstract

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

The Oxygen products incorporate Apache Tomcat as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Abstract

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

The Oxygen products incorporate Apache Tomcat as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

HighResolved Oxygen XML Web Author 26.0.0.1 and older 2024-03-29 02:10:00
SYNC-2024-020601

Abstract

Oxygen XML Web Author v26.0.0 and older and Oxygen Content Fusion v6.1 and older are vulnerable to Reflected Cross-Site Scripting (XSS) for malicious URLs.

Detail

SYNC-2024-020601

Severity: High

CVSS Score: 8.1

Oxygen XML Web Author v26.0.0 and older and Oxygen Content Fusion v6.1 and older are vulnerable to Reflected Cross-Site Scripting (XSS) by crafting a malicious request that injects unauthorized JavaScript code.

HighResolved Oxygen XML Web Author 26.0.0 and older
Oxygen Content Fusion 6.1 and older
2024-03-15 01:10:00
CVE-2023-46589

Abstract

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.

The Oxygen products incorporate Tomcat as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2023-46589

Severity: High

CVSS Score: 7.5

The Apache Tomcat third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2023-46589 vulnerability description. However, Oxygen Feedback product's design incorporates security measures that mitigates the exploitation of this vulnerability. For that reason, Oxygen Feedback is not affected by this vulnerability.

Starting with Oxygen XML Web Author v26.0.0.1 build 2024022608 Apache Tomcat library was updated to a version which fixes this vulnerability.

Starting with Oxygen Feedback v4.1 build 2024013118 Apache Tomcat library was updated to a version which fixes this vulnerability.

HighResolved Oxygen XML Web Author 26.0.0 and older
Oxygen Feedback 4.0 and older
2024-03-08 13:10:00
CVE-2023-34062

Abstract

In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, a malicious user can send a request using a specially crafted URL that can lead to a directory traversal attack. Specifically, an application is vulnerable if Reactor Netty HTTP Server is configured to serve static resources.

The Oxygen products incorporate Reactor Netty HTTP Server as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2023-34062

Severity: High

CVSS Score: 7.5

The Reactor Netty HTTP Server third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2023-34062 vulnerability description. However, Reactor Netty HTTP Server in Oxygen XML products is not configured to serve static resources. For that reason, Oxygen XML products are not affected by this vulnerability.

NoneResolved Oxygen Content Fusion 6.0 and older 2024-02-22 15:10:00
CVE-2023-6481

Abstract

A serialization vulnerability in logback receiver component part of logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.

The Oxygen products incorporate logback as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2023-6481

Severity: High

CVSS Score: 7.5

The logback third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2023-6481 vulnerability description. However, Oxygen XML products do not use receiver component part of logback. For that reason, Oxygen XML products are not affected by this vulnerability.

NoneResolved Oxygen Content Fusion 6.0 and older
Oxygen Feedback 4.0 and older
2024-02-19 14:10:00
CVE-2023-34054

Abstract

In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable if Reactor Netty HTTP Server built-in integration with Micrometer is enabled.

The Oxygen products incorporate Reactor Netty HTTP Server as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2023-34054

Severity: High

CVSS Score: 7.5

The Reactor Netty HTTP Server third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2023-34054 vulnerability description. However, Oxygen XML products do not use metrics / Micrometer. For that reason, Oxygen XML products are not affected by this vulnerability.

NoneResolved Oxygen Content Fusion 6.0 and older 2024-02-16 13:10:00
CVE-2023-46120

Abstract

The RabbitMQ Java client library allows Java and JVM-based applications to connect to and interact with RabbitMQ nodes. `maxBodyLebgth` was not used when receiving Message objects. Attackers could send a very large Message causing a memory overflow and triggering an OOM Error. Users of RabbitMQ may suffer from DoS attacks from RabbitMQ Java client which will ultimately exhaust the memory of the consumer. This vulnerability was patched in version 5.18.0.

The Oxygen products incorporate RabbitMQ Java as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2023-46120

Severity: High

CVSS Score: 7.5

The netty third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2023-46120 vulnerability description. However, Oxygen Content Fusion product's design incorporates security measures that mitigates the exploitation of this vulnerability. For that reason, Oxygen XML products are not affected by this vulnerability.

NoneResolved Oxygen Content Fusion 6.0 and older 2024-02-09 12:10:00
CVE-2023-5072

Abstract

Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.

The Oxygen products incorporate JSON-Java as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-5072

Severity: High

CVSS Score: 7.5

The JSON-Java third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-5072 vulnerability description.
Oxygen XML products do not parse JSON user input. For that reason, Oxygen XML products are not affected by this vulnerability.

NoneResolved Oxygen Content Fusion 5.1 and older
Oxygen XML Author 26.0 and older
Oxygen XML Developer 26.0 and older
Oxygen XML Editor 26.0 and older
Oxygen License Server 26.0 and older
Oxygen Publishing Engine 26.0 and older
Oxygen XML Web Author 26.0.0. and older
2024-02-09 12:10:00
CVE-2023-4911

Abstract

A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

The Oxygen products incorporate GNU C as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-4911

Severity: High

CVSS Score: 7.8

The GNU C third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-4911 vulnerability description. Oxygen Feedback product's design incorporates security measures that significantly reduce the exploitation risks of this vulnerability. For that reason we rated this vulnerability as low.

LowResolved Oxygen Feedback 4.0 and older 2024-01-30 14:10:00
CVE-2023-44487

Abstract

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

The Oxygen products incorporate Netty as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2023-44487

Severity: Critical

CVSS Score: 7.5

The netty third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2023-44487 vulnerability description. However, Oxygen Content Fusion uses the Netty library only for internal network. For that reason we rated this vulnerability as low.

HighResolved Oxygen Content Fusion 5.1.2 and older
Oxygen Publishing Engine 26.0 and older
Oxygen XML Web Author 26.0.0 and older
2024-01-30 14:10:00
CVE-2023-4759

Abstract

Arbitrary File Overwrite in Eclipse JGit <= 6.6.0 In Eclipse JGit, all versions <= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem. This can happen on checkout (DirCacheCheckout), merge (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command. The issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration. Setting git configuration option core.symlinks = false before checking out avoids the problem.

The Oxygen products incorporate JGit as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-4759

Severity: High

CVSS Score: 8.8

The JGit third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-4759 vulnerability description.
Oxygen Content Fusion runs on a case-sensitive filesystem. For that reason, Oxygen Content Fusion is not affected by this vulnerability.

HighResolved Oxygen Content Fusion 6.0 and older
Oxygen XML Web Author 26.0.0 and older
2024-01-29 12:20:00
CVE-2023-6378

Abstract

A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.

The Oxygen products incorporate logback as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2023-6378

Severity: High

CVSS Score: 7.5

The logback third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2023-6378 vulnerability description. However, Oxygen XML products do not use receiver component part of logback. For that reason, Oxygen XML products are not affected by this vulnerability.

NoneResolved Oxygen XML Author 26.0
Oxygen XML Developer 26.0
Oxygen XML Editor 26.0
Oxygen JSON Editor 26.0
Oxygen Content Fusion 6.0 and older
Oxygen XML Web Author 26.0.0 and older
Oxygen Feedback 4.0 and older
Oxygen PDF Chemistry 26.0 and older
Oxygen Publishing Engine 26.0 and older
Oxygen License Server 26.0 and older
2024-01-19 14:20:00
CVE-2023-4586

Abstract

A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack.

The Oxygen products incorporate netty as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-4586

Severity: High

CVSS Score: 7.4

The netty third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-4586 vulnerability description.
Oxygen Content Fusion uses netty library only to connect internally and doesn't use hostname verification with this library. For that reason, Oxygen XML products are not affected by this vulnerability.

NoneResolved Oxygen Publishing Engine 26.0 and older
Oxygen Content Fusion 6.0 and older
2023-12-22 15:20:00
CVE-2023-38545

Abstract

This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake.
When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes.
If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there.
The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.

The Oxygen products incorporate curl, libcurl4 as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Detail

CVE-2023-38545

Severity: Critical

CVSS Score: 9.8

The curl, libcurl4 third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2023-38545 vulnerability description. However, Oxygen XML Feedback is a Java based application. For that reason we rated this vulnerability as low.

LowResolved Oxygen Feedback 3.0.3 and older 2023-12-22 15:20:00
CVE-2020-7746

Abstract

This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution.

The Oxygen products incorporate chart.js as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2020-7746

Severity: Critical

CVSS Score: 9.8

The chart.js third-party library used by Oxygen XML products is an affected version mentioned in CVE-2020-7746 vulnerability description. However, since this library doesn't use user controlled options, this vulnerability does not affect Oxygen products.

NoneResolved Oxygen XML Web Author 25.1.0.1 and older 2023-11-09 14:20:00
CVE-2022-44729

Abstract

Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.

The Oxygen products incorporate Apache XML Graphics Batik as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-44729

Severity: High

CVSS Score: 7.1

The Apache XML Graphics Batik third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-44729 vulnerability description.

Starting with Oxygen XML Author v25.1 build 2023110913 Apache XML Graphics Batik library was updated to a version which fixes this vulnerability.

Starting with Oxygen XML Developer v25.1 build 2023110913 Apache XML Graphics Batik library was updated to a version which fixes this vulnerability.

Starting with Oxygen XML Editor v25.1 build 2023110913 Apache XML Graphics Batik library was updated to a version which fixes this vulnerability.

Starting with Oxygen XML Author v26.0 build 2023100905 Apache XML Graphics Batik library was updated to a version which fixes this vulnerability.

Starting with Oxygen XML Developer v26.0 build 2023100905 Apache XML Graphics Batik library was updated to a version which fixes this vulnerability.

Starting with Oxygen XML Editor v26.0 build 2023100905 Apache XML Graphics Batik library was updated to a version which fixes this vulnerability.

Starting with Oxygen XML Web Author v26.0 build 2023101015 Apache XML Graphics Batik library was updated to a version which fixes this vulnerability.

Starting with Oxygen Publishing Engine v25.1 build 2023110913 Apache XML Graphics Batik library was updated to a version which fixes this vulnerability.

Starting with Oxygen Publishing Engine v26.0 build 2023100523 Apache XML Graphics Batik library was updated to a version which fixes this vulnerability.

HighResolved Oxygen XML Author 25.1 and older
Oxygen XML Developer 25.1 and older
Oxygen XML Editor 25.1 and older
Oxygen XML Web Author 25.1.0.1 and older
Oxygen Publishing Engine 25.1 and older
2023-11-09 14:20:00
CVE-2023-34478

Abstract

Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests. Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+

The Oxygen products incorporate Apache Shiro as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-34478

Severity: Critical

CVSS Score: 9.8

The Apache Shiro third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-34478 vulnerability description.

Starting with Oxygen XML Web Author 26.0.0 build 2023101015 Apache Shiro library was updated to a version which fixes this vulnerability.

Starting with Oxygen Content Fusion 6.0 build 2023110109 Apache Shiro library was updated to a version which fixes this vulnerability.

CriticalResolved Oxygen Content Fusion 5.1.1 and older
Oxygen XML Web Author 25.1.0.1 and older
2023-11-09 14:20:00
CVE-2022-3515

Abstract

A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specially crafted data to the application, for example, a malicious S/MIME attachment.

The Oxygen products incorporate Libksb as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-3515

Severity: Critical

CVSS Score: 9.8

The Libksba third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-3515 vulnerability description. However, since Oxygen products does not use Libksb library at runtime, this vulnerability does not affect Oxygen products and will be removed in future versions.

Starting with Oxygen Content Fusion v6.0 build 2023110109 Libksb library was removed.

NoneResolved Oxygen Content Fusion 5.0.1 and older 2023-11-06 15:23:00
CVE-2023-34034

Abstract

Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass.

The Oxygen products incorporate Spring Security as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-34034

Severity: Critical

CVSS Score: 9.8

The Spring Security third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-34034 vulnerability description. However, since Oxygen products does not use WebFlux controllers, this vulnerability does not affect Oxygen products.

Starting with Oxygen Feedback v3.0.3 build 2023083012 Spring Security library was updated to a version which fixes this vulnerability.

Starting with Oxygen Content Fusion v6.0 build 2023110109 Spring Security library was updated to a version which fixes this vulnerability.

NoneResolved Oxygen Content Fusion 5.1.1 and older
Oxygen Feedback 3.0.2 and older
2023-11-06 15:20:00
CVE-2023-38286

Abstract

Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.

The Oxygen products incorporate Thymeleaf as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-38286

Severity: High

CVSS Score: 7.5

The Thymeleaf third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-38286 vulnerability description. However, since Oxygen products does not use Spring Boot Admin Server, this vulnerability does not affect Oxygen products.

Starting with Oxygen XML Web Author v26.0.0 build 2023101015 Thymeleaf library was updated to a version which fixes this vulnerability.

NoneResolved Oxygen Content Fusion 5.1.1 and older
Oxygen XML Web Author 25.1.0.1 and older
Oxygen Feedback 3.0.2 and older
2023-11-06 15:20:00
CVE-2008-5730

Abstract

Multiple CRLF injection vulnerabilities in AIST NetCat 3.12 and earlier allow remote attackers to have an unknown impact via unspecified vectors involving (1) a %0a sequence in a cookie and (2) the add.php file.

The Oxygen products incorporate AIST NetCat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2008-5730

Severity: High

CVSS Score: 7.5

The AIST NetCat third-party library used by Oxygen XML products is an affected version mentioned in CVE-2008-5730 vulnerability description. However, Oxygen XML Author, Oxygen XML Developer and Oxygen XML Editor are desktop applications, not server applications. Therefor, we are not affected by this vulnerability.

NoneResolved Oxygen XML Author 25.1 and older
Oxygen XML Developer 25.1 and older
Oxygen XML Editor 25.1 and older
2023-11-06 15:20:00
CVE-2023-3635

Abstract

GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.

The Oxygen products incorporate Okio as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-3635

Severity: High

CVSS Score: 7.5

The Okio third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-3635 vulnerability description. However, since user cannot control the GZIP archive, this vulnerability does not affect Oxygen XML products.

NoneResolved Oxygen Content Fusion 5.1.1 and older 2023-10-05 15:23:00
CVE-2023-20883

Abstract

In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.

The Oxygen products incorporate Spring Boot as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-20883

Severity: High

CVSS Score: 7.5

The Spring Boot third-party library used by Oxygen Content Fusion is an affected version mentioned in CVE-2023-20883 vulnerability description. However, since the server is not accessible through a proxy server, this vulnerability does not affect Oxygen Content Fusion.

Starting with Oxygen Content Fusion v5.1.1 build 2023072112 Spring Boot library was updated to a version that fixes this vulnerability.

NoneResolved Oxygen Content Fusion 5.1 and older
Oxygen Feedback 3.0.1 and older
2023-07-26 15:20:00
CVE-2023-28709

Abstract

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

The Oxygen products incorporate Apache Tomcat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-28709

Severity: High

CVSS Score: 7.5

The Apache Tomcat third-party library used by Oxygen XML Web Author is an affected version mentioned in CVE-2023-28709 vulnerability description. However, since default HTTP connector settings are used, this vulnerability does not affect Oxygen XML Web Author.

NoneResolved Oxygen XML Web Author 25.1.0.1 and older 2023-07-26 15:20:00
CVE-2022-45688

Abstract

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.

The Oxygen products incorporate hutool-json as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-45688

Severity: High

CVSS Score: 7.5

The hutool-json third-party library used by Oxygen Content Fusion is an affected version mentioned in CVE-2022-45688 vulnerability description. Starting with Oxygen Content Fusion 5.1.1 build 2023072112 the affected library was updated to version that fixes this vulnerability.

Since Oxygen Publishing Engine doesn't use XML.toJSONObject, this vulnerability does not affect Oxygen Publishing Engine. However, Oxygen Publishing Engine starting with v25.1 build 2023031411 the affected library was updated to a version that fixes this vulnerability.

Starting with Oxygen License Server v25.1 build 2023031316 the affected library was updated to a version that fixes this vulnerability

HighResolved Oxygen Content Fusion 5.1 and older
Oxygen XML Web Author 25.0.0.3 and older
Oxygen Publishing Engine 25.0
Oxygen License Server 25.0 and older
Oxygen XML Author 25.0 and older
Oxygen XML Developer 25.0 and older
Oxygen XML Editor 25.0 and older
2023-07-26 15:20:00
CVE-2023-2976

Abstract

Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

The Oxygen products incorporate Google Guava as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-2976

Severity: High

CVSS Score: 7.5

The Google Guava third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-2976 vulnerability description. However, since Oxygen XML products do not employ the FileBackedOutputStream class, we classify this vulnerability as low.

Starting with Oxygen XML v25.1 build 2023070306 Google Guava library was updated to v2.29 which fixes this vulnerability.

LowResolved Oxygen XML Author 25.1 and older
Oxygen XML Developer 25.1 and older
Oxygen XML Editor 25.1 and older
Oxygen Content Fusion 5.1 and older
Oxygen XML Web Author 25.1.0.1 and older
Oxygen Feedback 3.0.1 and older
Oxygen Publishing Engine 25.1 and older
2023-07-20 15:20:00
CVE-2023-34623

Abstract

An issue was discovered jtidy thru r938 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

The Oxygen products incorporate jtidy as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-34623

Severity: High

CVSS Score: 7.5

The jtidy third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-34623 vulnerability description.

Starting with Oxygen XML v25.1 build 2023070306 jtidy library was updated to a version which fixes this vulnerability.

HighResolved Oxygen XML Author 25.1 and older
Oxygen XML Developer 25.1 and older
Oxygen XML Editor 25.1 and older
Oxygen PDF Chemistry 25.1 and older
2023-07-19 16:20:00
CVE-2023-34624

Abstract

An issue was discovered htmlcleaner thru = 2.28 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

The Oxygen products incorporate htmlcleaner as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-34624

Severity: High

CVSS Score: 7.5

The htmlcleaner third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-34624 vulnerability description.

Starting with Oxygen XML v25.1 build 2023070306 htmlcleaner library was updated to v2.29 which fixes this vulnerability.

HighResolved Oxygen XML Author 25.1 and older
Oxygen XML Developer 25.1 and older
Oxygen XML Editor 25.1 and older
Oxygen PDF Chemistry 25.1 and older
2023-07-19 16:15:00
CVE-2023-20860

Abstract

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

The Oxygen products incorporate Spring Framework as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-20860

Severity: High

CVSS Score: 7.5

The Spring Framework third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-20860 vulnerability description. However, the Oxygen products do not use mvcMatchers. For that reason, the Oxygen XML products are not affected by this vulnerability.

NoneResolved Oxygen Content Fusion 5.1 and older
Oxygen Feedback 3.0.1 and older
2023-06-07 16:15:00
CVE-2023-20862

Abstract

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.

The Oxygen products incorporate Spring Security as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-20862

Severity: Critical

CVSS Score: 9.8

The Spring Security third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-20862 vulnerability description. However, the Oxygen products do not use the vulnerable code. For that reason, Oxygen XML products are not affected.

NoneResolved Oxygen Content Fusion 5.1 and older
Oxygen Feedback 3.0.1 and older
2023-06-07 16:15:00
CVE-2023-20873

Abstract

In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.6+. 2.7.x users should upgrade to 2.7.11+. Users of older, unsupported versions should upgrade to 3.0.6+ or 2.7.11+.

The Oxygen products incorporate Spring Boot as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-20873

Severity: Critical

CVSS Score: 9.8

The Spring Boot third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-20873 vulnerability description. However, the Oxygen products are not deployed to to Cloud Foundry. For that reason, Oxygen XML products are not affected by this vulnerability.

NoneResolved Oxygen Content Fusion 5.1 and older
Oxygen Feedback 3.0.1 and older
2023-06-07 16:15:00
SYNC-2023-042301

Abstract

A directory traversal vulnerability in Oxygen XML Web Author before 25.0.0.3 build 2023021715 and Oxygen Content Fusion before 5.0.3 build 2023022015 allows an attacker to read files from a WEB-INF directory via a crafted HTTP request. (XML Web Author 24.1.0.3 build 2023021714 and 23.1.1.4 build 2023021715 are also fixed versions.)

Detail

SYNC-2023-042301

Severity: Medium

CVSS Score: 5.3

Using special requests, a remote attacker may read files from WEB-INF directory of Oxygen XML Web Author application. However, by default, this directory does not contain sensitive information so the severity of this issue should be seen as low.

LowResolved Oxygen XML Web Author 25.0.0.2 and older
Oxygen Content Fusion 5.0.2 and older
2023-04-07 15:22:00
CVE-2023-24998

Abstract

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

The Oxygen products incorporate Apache Commons FileUpload as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-24998

Severity: High

CVSS Score: 7.5

The Apache Commons FileUpload third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-24998 vulnerability description.

Starting with Oxygen XML Web Author v25.1 build 2023031320 Apache Tomcat library was updated to v9.0.73 which fixes this vulnerability.

HighResolved Oxygen XML Web Author 25.0.0.3 and older 2023-04-07 15:22:00
CVE-2022-40152

Abstract

Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

The Oxygen products incorporate Woodstox as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-40152

Severity: High

CVSS Score: 7.5

The Woodstox third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-40152 vulnerability description. However, the Oxygen products does not enable DTD support. For that reason, Oxygen XML products are not affected by this vulnerability.

Starting with Oxygen XML Web Author v25.1.0 build 2023031320 Woodstox library was updated to a newer version which fixes this vulnerability.

NoneResolved Oxygen XML Web Author 25.0.0.3 and older 2023-03-22 15:22:00
CVE-2023-0286

Abstract

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.

The Oxygen products incorporate OpenSSL as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-0286

Severity: High

CVSS Score: 7.4

The OpenSSL third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-0286 vulnerability description. However, the Oxygen products does not enable CRL checking. For that reason, Oxygen XML products are not affected by this vulnerability.

NoneResolved Oxygen Feedback 3.0 2023-03-22 15:22:00
CVE-2022-25901

Abstract

Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.

The Oxygen products incorporate cookiejar as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-25901

Severity: High

CVSS Score: 7.5

The cookiejar third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-25901 vulnerability description. However, the Oxygen products does not use the Cookie.parse function. For that reason, we have rated the severity level for our products as low.

Starting with Oxygen Feedback v3.0 build 2023031610 cookiejar library was updated to v2.1.4 which fixes this vulnerability.

LowResolved Oxygen Feedback 2.1.4 and older 2023-03-22 14:25:00
CVE-2022-41404

Abstract

An issue in the fetch() method in the BasicProfile class of org.ini4j before v0.5.4 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.

The Oxygen products incorporate org.ini4j as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-41404

Severity: High

CVSS Score: 7.5

The org.ini4j third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-41404 vulnerability description. However, the Oxygen products does not call the affected method. For that reason, Oxygen XML products are not affected by this vulnerability.

Starting with Oxygen XML Web Author v25.1.0 build 2023031320 org.ini4j library was removed.

NoneResolved Oxygen XML Web Author 25.0.2 and older 2023-03-22 10:25:00
CVE-2022-23540

Abstract

In versions `<=8.5.1` of jsonwebtoken library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the `jwt.verify()` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.

The Oxygen products incorporate jsonwebtoken as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-23540

Severity: High

CVSS Score: 7.6

The jsonwebtoken third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-23540 vulnerability description.

Starting with Oxygen Content Fusion v5.0.3 build 2023022015 the jsonwebtoken library was updated to v9.0.0 which fixes this vulnerability.

HighResolved Oxygen Content Fusion 5.0.2 and older 2023-03-22 10:24:00
CVE-2023-22602

Abstract

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching.

The Oxygen products incorporate Apache Shiro as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-22602

Severity: High

CVSS Score: 7.5

The Apache Shiro third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-22602 vulnerability description. However, the Oxygen products does not use Apache Shiro with Spring Boot. For that reason, our products are not affected by this vulnerability.

NoneResolved Oxygen XML Web Author 25.0.2 and older
Oxygen Content Fusion 5.0.3 and older
2023-03-16 10:32:00
CVE-2022-45143

Abstract

The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.

The Oxygen products incorporate Apache Tomcat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-45143

Severity: High

CVSS Score: 7.5

The Apache Tomcat third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-45143 vulnerability description. However, the Oxygen products does not call the affected code. For that reason, Oxygen XML products are not affected.

NoneResolved Oxygen Feedback 2.1.4 and older 2023-02-17 11:32:00
CVE-2023-22467

Abstract

Luxon is a library for working with dates and times in JavaScript. On the 1.x branch prior to 1.38.1, the 2.x branch prior to 2.5.2, and the 3.x branch on 3.2.1, Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks. This issue also appears in Moment as CVE-2022-31129. Versions 1.38.1, 2.5.2, and 3.2.1 contain patches for this issue. As a workaround, limit the length of the input.

The Oxygen products incorporate Luxon as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2023-22467

Severity: High

CVSS Score: 7.5

The Luxon third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-22467 vulnerability description. However, the Oxygen products does not permit users input. For that reason, Oxygen XML products are not affected.

NoneResolved Oxygen Content Fusion 5.0.2 and older 2023-02-17 11:28:00
CVE-2022-45868

Abstract

The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments.

The Oxygen products incorporate H2 Database as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-45868

Severity: High

CVSS Score: 7.8

The H2 Database third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-45868 vulnerability description. However, the Oxygen products does not start the library with -webAdminPassword argument. For that reason, Oxygen XML products are not affected by this vulnerability

NoneResolved Oxygen XML Web Author 25.0.0.2 and older
Oxygen License Server v25.0 and older
2023-02-17 11:22:00
CVE-2022-45378

Abstract

In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution.

The Oxygen products incorporate Apache SOAP as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-45378

Severity: Critical

CVSS Score: 9.8

The Apache SOAP third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-45378 vulnerability description. However, the Oxygen products doesn't use RPCRouterServlet. For that reason, our products are not affected by this vulnerability.

NoneResolved Oxygen XML Author 25.0 and older
Oxygen XML Developer 25.0 and older
Oxygen XML Editor 25.0 and older
2023-02-03 15:26:00
CVE-2022-24999

Abstract

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).

The Oxygen products incorporate qs as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-24999

Severity: High

CVSS Score: 7.5

The qs third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-24999 vulnerability description.

Starting with Oxygen Content Fusion v5.0.2 build 2022121305 qs library was updated to v6.11.0 which fixes this vulnerability.

MediumResolved Oxygen Content Fusion 5.0.1 and older 2023-02-03 15:16:00
CVE-2022-41881

Abstract

Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.

The Oxygen products incorporate Netty as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-41881

Severity: High

CVSS Score: 7.5

The Netty third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-41881 vulnerability description.

Starting with Oxygen XML Author v25.0 build 2023013006 Netty library was updated to v4.1.86.Final which fixes this vulnerability.

Starting with Oxygen XML Developer v25.0 build 2023013006 Netty library was updated to v4.1.86.Final which fixes this vulnerability.

Starting with Oxygen XML Editor v25.0 build 2023013006 Netty library was updated to v4.1.86.Final which fixes this vulnerability.

HighResolved Oxygen XML Author 25.0 and older
Oxygen XML Developer 25.0 and older
Oxygen XML Editor 25.0 and older
Oxygen Content Fusion 5.0.2 and older
2023-03-16 11:16:00
CVE-2022-25857

Abstract

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

The Oxygen products incorporate SnakeYAML as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-25857

Severity: High

CVSS Score: 7.5

The SnakeYAML third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-25857 vulnerability description.

HighResolved Oxygen XML Author 24.1 and older
Oxygen XML Developer 24.1 and older
Oxygen XML Editor 24.1 and older
Oxygen Content Fusion 5.0.1 and older
Oxygen Publishing Engine 24.1 and older
2023-01-06 14:34:00
CVE-2022-42003

Abstract

In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1

The Oxygen products incorporate FasterXML jackson-databind as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-42003

Severity: High

CVSS Score: 7.5

The FasterXML jackson-databind third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-42003 vulnerability description. However, the Oxygen products does not enable the feature UNWRAP_SINGLE_VALUE_ARRAYS. For that reason, Oxygen XML products are not affected by this vulnerability.

NoneResolved Oxygen XML Author 25.0 and older
Oxygen XML Developer 25.0 and older
Oxygen XML Editor 25.0 and older
Oxygen XML Web Author 25.0.0 and older
Oxygen Content Fusion 5.0.1 and older
Oxygen Feedback 2.1.3 and older
Oxygen Publishing Engine 25.0 and older
2023-01-06 14:34:00
CVE-2022-2421

Abstract

Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.

The Oxygen products incorporate Socket.io as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-2421

Severity: Critical

CVSS Score: 9.8

The Socket.io third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-2421 vulnerability description.

CriticalResolved Oxygen Content Fusion 5.0.1 and older 2023-01-06 14:38:00
CVE-2022-41940

Abstract

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.

The Oxygen products incorporate Engine.IO as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-41940

Severity: High

CVSS Score: 7.1

The Engine.IO third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-41940 vulnerability description.

MediumResolved Oxygen Content Fusion 5.0.1 and older 2023-01-06 14:38:00
CVE-2022-1471

Abstract

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.

The Oxygen products incorporate SnakeYaml as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-1471

Severity: Critical

CVSS Score: 9.8

The SnakeYaml third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-1471 vulnerability description. However, the Oxygen products does not use the Constructor() as described. For that reason, Oxygen XML products are not affected by this vulnerability.

NoneResolved Oxygen XML Author 25.0 and older
Oxygen XML Developer 25.0 and older
Oxygen XML Editor 25.0 and older
Oxygen Content Fusion 5.0.1 and older
Oxygen Publishing Engine 25.0 and older
2023-01-06 14:34:00
CVE-2022-42004

Abstract

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

The Oxygen products incorporate FasterXML jackson-databind as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-42004

Severity: High

CVSS Score: 7.5

The FasterXML jackson-databind third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-42004 vulnerability description. However, the Oxygen products does not enable the feature UNWRAP_SINGLE_VALUE_ARRAYS. For that reason, Oxygen XML products are not affected by this vulnerability.

Starting with Oxygen Content Fusion v5.0.2 build 2022121305 FasterXML jackson-databind library was updated to v2.13.4.2 which fixes this vulnerability.

Starting with Oxygen Feedback v2.1.4 build 2022111716 FasterXML jackson-databind library was updated to v2.13.4.2 which fixes this vulnerability.

NoneResolved Oxygen XML Author 25.0 and older
Oxygen XML Developer 25.0 and older
Oxygen XML Editor 25.0 and older
Oxygen XML Web Author 25.0.0 and older
Oxygen Content Fusion 5.0.1 and older
Oxygen Feedback 2.1.2 and older
2023-01-06 14:34:00
CVE-2022-40146

Abstract

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.

The Oxygen products incorporate Batik as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-40146

Severity: High

CVSS Score: 7.5

The Batik third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-40146 vulnerability description. However, the Oxygen products have security mechanism that blocks connections to untrusted hosts. For that reason, we have rated the severity level for our products as low.

LowResolved Oxygen XML Author 24.1 and older
Oxygen XML Developer 24.1 and older
Oxygen XML Editor 24.1 and older
Oxygen Publishing Engine 24.1 and older
2022-12-15 14:34:00
CVE-2022-3171

Abstract

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.

The Oxygen products incorporate protobuf as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-3171

Severity: High

CVSS Score: 7.5

The protobuf third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-3171 vulnerability description. However, the Oxygen products does not read arbitrary data in protobuf format. For that reason, Oxygen XML products are not affected by this vulnerability.

Starting with Oxygen XML Web Author v25.0.0.1 build 2022111708 protobuf library was updated to a newer version which fixes this vulnerability.

NoneResolved Oxygen XML Web Author 25.0 2022-11-21 15:27:00
CVE-2022-40664

Abstract

The Shiro package is vulnerable to Improper Authentication. The doFilter() function in the OncePerRequestFilter class executes the filter once per request, even when forwarding or including via javax.servlet.RequestDispatcher. A remote attacker can send a specially crafted HTTP request to bypass security restrictions and gain unauthorized access to the application.

The Oxygen products incorporate Shiro as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-40664

Severity: Critical

CVSS Score: 9.8

The Shiro third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-40664 vulnerability description. However, the Oxygen products doesn't call the vulnerable code. For that reason, Oxygen XML products are not affected by this vulnerability.

Starting with Oxygen XML Web Author v25.0.0.1 build 2022111708 Shiro library was updated to a newer version that fixes this vulnerability.

NoneResolved Oxygen XML Web Author 25.0 and older
Oxygen Content Fusion 5.0.1 and older
2023-01-06 15:27:00
CVE-2022-42252

Abstract

If Apache Tomcat 8.5.0 to 8.5.52, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

The Oxygen products incorporate Apache Tomcat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-42252

Severity: High

CVSS Score: 7.5

The Apache Tomcat third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-42252 vulnerability description. However, the Oxygen products doesn't set rejectIllegalHeader to false. For that reason Oxygen XML products are not affected by this vulnerability.

Starting with Oxygen Feedback v2.1.4 build 2022111716 Apache Tomcat library was updated to v9.0.68 which fixes this vulnerability.

Starting with Oxygen XML Web Author v25.0.0.2 build 2023020615 Apache Tomcat library was updated to v9.0.69 which fixes this vulnerability.

NoneResolved Oxygen Feedback 2.1.3 and older
Oxygen XML Web Author 25.0.0 and older
Oxygen Content Fusion 5.0.1 and older
2023-01-06 15:27:00
CVE-2022-31690

Abstract

Spring Security, versions 5.7 prior to 5.7.5, and 5.6 prior to 5.6.9, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can modify a request initiated by the Client (via the browser) to the Authorization Server which can lead to a privilege escalation on the subsequent approval. This scenario can happen if the Authorization Server responds with an OAuth2 Access Token Response containing an empty scope list (per RFC 6749, Section 5.1) on the subsequent request to the token endpoint to obtain the access token.

The Oxygen products incorporate Spring Security as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-31690

Severity: High

CVSS Score: 8.1

The Spring Security third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-31690 vulnerability description. However, the Access Token returned by Oxygen Feedback does not contain an empty scope list. For that reason, Oxygen XML products are not affected by this vulnerability

Starting with Oxygen Feedback v2.1.4 build 2022111716 Spring Security library was updated to v5.7.5 which fixes this vulnerability.

Starting with Oxygen Content Fusion v5.0.2 build 2022121305 Spring Security library was updated to v5.7.5 which fixes this vulnerability.

NoneResolved Oxygen Feedback 2.1.3 and older
Oxygen Content Fusion 5.0.1 and older
2023-01-06 15:27:00
CVE-2022-31692

Abstract

Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types. Specifically, an application is vulnerable when all of the following are true: The application expects that Spring Security applies security to forward and include dispatcher types. The application uses the AuthorizationFilter either manually or via the authorizeHttpRequests() method. The application configures the FilterChainProxy to apply to forward and/or include requests (e.g. spring.security.filter.dispatcher-types = request, error, async, forward, include). The application may forward or include the request to a higher privilege-secured endpoint.The application configures Spring Security to apply to every dispatcher type via authorizeHttpRequests().shouldFilterAllDispatcherTypes(true)

The Oxygen products incorporate Spring Security as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-31692

Severity: Critical

CVSS Score: 9.8

The Spring Security third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-31692 vulnerability description. However, the Oxygen products are not configured as described in the vulnerability description. For that reason, Oxygen XML products are not affected by this vulnerability

Starting with Oxygen Feedback v2.1.4 build 2022111716 Spring Security library was updated to v5.7.5 which fixes this vulnerability.

NoneResolved Oxygen Feedback 2.1.3 and older
Oxygen Content Fusion 5.0.1 and older
2023-01-06 15:27:00
CVE-2022-37601

Abstract

The loader-utils package is vulnerable to Prototype Pollution. The parseQuery() function in the parseQuery.js file allows for modification of object prototypes via the name variable. A remote attacker can exploit this vulnerability to override the behavior of object prototypes, which may result in a Denial of Service (DoS) condition, Remote Code Execution (RCE), or other unexpected behavior.

The Oxygen products incorporate loader-utils as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-37601

Severity: Critical

CVSS Score: 9.8

The loader-utils third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-37601 vulnerability description. However, Oxygen XML products does not use server-side JavaScript to handle JSON content received as payload on REST requests. For that reason, Oxygen XML products are not affected by this vulnerability.

Starting with Oxygen Feedback v2.1.4 build 2022111716 loader-utils library was updated to fix this vulnerability.

NoneResolved Oxygen Feedback 2.1.3 and older 2022-11-18 15:27:00
CVE-2022-41704

Abstract

A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.

The Oxygen products incorporate Batik as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-41704

Severity: High

CVSS Score: 7.5

The Batik third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-41704 vulnerability description.

Starting with Oxygen XML Author v24.1 build 2022110312 Batik library was updated to v1.16 which fixes this vulnerability.

Starting with Oxygen XML Developer v24.1 build 2022110312 Batik library was updated to v1.16 which fixes this vulnerability.

Starting with Oxygen XML Editor v24.1 build 2022110312 Batik library was updated to v1.16 which fixes this vulnerability.

Starting with Oxygen XML Author v25.0 build 2022110706 Batik library was updated to v1.16 which fixes this vulnerability.

Starting with Oxygen XML Developer v25.0 build 2022110706 Batik library was updated to v1.16 which fixes this vulnerability.

Starting with Oxygen XML Editor v25.0 build 2022110706 Batik library was updated to v1.16 which fixes this vulnerability.

Starting with Oxygen XML Web Author v24.1.0.2 build 2022110410 Batik library was updated to v1.16 which fixes this vulnerability.

Starting with Oxygen XML Web Author v25.0.0.1 build 2022111708 batik-bridge library was removed, which fixes this vulnerability.

HighResolved Oxygen XML Author v25.0 and older versions
Oxygen XML Developer v25.0 and older versions
Oxygen XML Editor v25.0 and older versions
Oxygen PDF Chemistry v25.0 and older versions
Oxygen Publishing Engine v25.0 and older versions
Oxygen XML Web Author v25.0 and older versions
2022-11-07 14:27:00
CVE-2022-42890

Abstract

A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.

The Oxygen products incorporate Batik as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-42890

Severity: High

CVSS Score: 7.5

The Batik third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-42890 vulnerability description.

Starting with Oxygen XML Author v24.1 build 2022110312 Batik library was updated to v1.16 which fixes this vulnerability.

Starting with Oxygen XML Developer v24.1 build 2022110312 Batik library was updated to v1.16 which fixes this vulnerability.

Starting with Oxygen XML Editor v24.1 build 2022110312 Batik library was updated to v1.16 which fixes this vulnerability.

Starting with Oxygen XML Author v25.0 build 2022110706 Batik library was updated to v1.16 which fixes this vulnerability.

Starting with Oxygen XML Developer v25.0 build 2022110706 Batik library was updated to v1.16 which fixes this vulnerability.

Starting with Oxygen XML Editor v25.0 build 2022110706 Batik library was updated to v1.16 which fixes this vulnerability.

HighResolved Oxygen XML Author v25.0 and older versions
Oxygen XML Developer v25.0 and older versions
Oxygen XML Editor v25.0 and older versions
Oxygen PDF Chemistry v25.0 and older versions
Oxygen Publishing Engine v25.0 and older versions
Oxygen XML Web Author v25.0 and older versions
2022-11-07 14:27:00
CVE-2022-23437

Abstract

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

The Oxygen products incorporate Apache Xerces Java (XercesJ) as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-23437

Severity: Medium

CVSS Score: 6.5

The Apache Xerces Java (XercesJ) third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-23437 vulnerability description.

Starting with Oxygen XML Author v24.1 build 2022030807 Apache Xerces Java (XercesJ) library was updated to v2.12.2 which fixes this vulnerability.

Starting with Oxygen XML Developer v24.1 build 2022030807 Apache Xerces Java (XercesJ) library was updated to v2.12.2 which fixes this vulnerability.

Starting with Oxygen XML Editor v24.1 build 2022030807 Apache Xerces Java (XercesJ) library was updated to v2.12.2 which fixes this vulnerability.

MediumResolved Oxygen XML Author v24.0 and older versions
Oxygen XML Developer v24.0 and older versions
Oxygen XML Editor v24.0 and older versions
2022-11-07 14:27:00
CVE-2022-40705

Abstract

An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP. This issue affects Apache SOAP version 2.2 and later versions.

The Oxygen products incorporate Apache SOAP as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-40705

Severity: High

CVSS Score: 7.5

The Apache SOAP third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-40705 vulnerability description. However, Oxygen products does not use RPCRouterServlet class. For that reason, our products are not affected by this vulnerability.

NoneResolved Oxygen XML Author v25.0 and older versions
Oxygen XML Developer v25.0 and older versions
Oxygen XML Editor v25.0 and older versions
2022-10-13 11:27:00
CVE-2022-32532

Abstract

Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.

Detail

Severity: Critical

CVSS Score: 9.8

The Apache Shiro third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-32532 vulnerability description. However, Oxygen XML products does not use RegExPatternMatcher. For that reason, we are rated the severity level for our products as Low.

Starting with Oxygen Content Fusion v5.0.1 build 2022092005 Apache Shiro was updated to version 1.9.1, which includes a fix for CVE-2022-325332.

Starting with Oxygen XML Web Author v25.0.0.1 build 2022070522 Apache Shiro was updated to version 1.9.1, which includes a fix for CVE-2022-325332.

LowResolved Oxygen XML Web Author v25.0 and older versions
Oxygen Content Fusion v5.0 and older versions
2022-10-13 11:27:00
CVE-2020-7760

Abstract

This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vulnerability of the regex is mainly due to the sub-pattern (s|/*.*?*/)*

The Oxygen products incorporate codemirror as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2020-7760

Severity: High

CVSS Score: 7.5

The codemirror third-party library used by Oxygen XML products is an affected version mentioned in CVE-2020-7760 vulnerability description. However, Oxygen products does not load the vulnerable file (javascript.js). For that reason, we have rated the severity level for our products as Low.

Starting with Oxygen XML Web Author v25.0 codemirror library was updated to v5.65.8 which fixes this vulnerability.

LowResolved Oxygen XML Web Author v25.0 and older versions
Oxygen Content Fusion v5.0 and older versions
2022-10-13 11:27:00
CVE-2022-34169

Abstract

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected.

The Oxygen products incorporate Apache Xalan Java as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-34169

Severity: High

CVSS Score: 7.5

The Apache Xalan Java third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-34169 vulnerability description. However, Oxygen XML products does not use Apache Xalan Java to generate Java classes from XSLT. For that reason, our products are not affected by this vulnerability.

NoneResolved Oxygen XML Author v25.0 and older versions
Oxygen XML Developer v25.0 and older versions
Oxygen XML Editor v25.0 and older versions
2022-10-13 11:27:00
CVE-2022-29885

Abstract

The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.

The Oxygen products incorporate Apache Tomcat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-29885

Severity: High

CVSS Score: 7.5

The Apache Tomcat third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-29885 vulnerability description.

Starting with Oxygen Content Fusion v5.0 Apache Tomcat library was updated to a non-vulnerable version.

HighResolved Oxygen XML Web Author v24.1 and older versions
Oxygen Content Fusion v4.1.6 and older versions
2022-10-13 11:27:00
CVE-2022-24839

Abstract

The nekohtml package is vulnerable to Denial of Service due to Uncontrolled Resource Consumption. The scanPI() function in the HTMLScanner class mishandles the parsing of a processing instruction while scanning a document. An attacker can leverage this behavior using a specially-crafted HTML composition, which has a ? or / character at the end of the processed instruction, to cause an infinite loop that appends a byte in a buffer in every cycle, causing a java.lang.OutOfMemoryError exception.

The Oxygen products incorporate nekohtml as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-24839

Severity: High

CVSS Score: 7.5

The nekohtml third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-24839 vulnerability description.

Starting with Oxygen XML Web Author v24.1 build 2022070522 nekohtml library was updated to a non-vulnerable version.

Starting with Oxygen XML Author v24.1 build 2022062007 nekohtml library was updated to a non-vulnerable version.

Starting with Oxygen XML Developer v24.1 build 2022062007 nekohtml library was updated to a non-vulnerable version.

Starting with Oxygen XML Editor v24.1 build 2022062007 nekohtml library was updated to a non-vulnerable version.

Starting with Oxygen PDF Chemistry v24.1 build 2022062023 nekohtml library was removed.

Starting with Oxygen Content Fusion v5.0 build 2022092005 nekohtml library was updated to a non-vulnerable version.

HighResolved Oxygen XML Author v24.1 and older versions
Oxygen XML Developer v24.1 and older versions
Oxygen XML Editor v24.1 and older versions
Oxygen XML Web Author v24.1 and older versions
Oxygen Content Fusion v4.1.6 and older versions
Oxygen PDF Chemistry v24.1 and older versions
2022-10-13 11:27:00
CVE-2021-43138

Abstract

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

The Oxygen products incorporate Async as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-43138

Severity: High

CVSS Score: 7.8

The Async third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-43138 vulnerability description.

Starting with Oxygen Content Fusion v5.0 Async library was updated to v3.2.2 which fixes this vulnerability.

HighResolved Oxygen Content Fusion v5.0 and older versions 2022-10-13 11:27:00
CVE-2022-24785

Abstract

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

The Oxygen products incorporate Moment.js as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-24785

Severity: High

CVSS Score: 7.5

The Moment.js third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-24785 vulnerability description. However, Oxygen products does not set any locale/lang for Moment.js library. For that reason, we have rated the severity level for our products as low.

Starting with Oxygen Content Fusion v5.0 Moment.js library was updated to v3.2.2 which fixes this vulnerability.

LowResolved Oxygen Content Fusion v5.0 and older versions
Oxygen Feedback v2.1 and older versions
2022-10-13 11:27:00
CVE-2017-18214

Abstract

The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.

The Oxygen products incorporate Moment.js as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2017-18214

Severity: High

CVSS Score: 7.5

The Moment.js third-party library used by Oxygen XML products is an affected version mentioned in CVE-2017-18214 vulnerability description. However, Oxygen products does not set any user provided date string. For that reason, our products are not affected by this vulnerability.

NoneResolved Oxygen Content Fusion v5.0 and older versions 2022-10-13 11:27:00
CVE-2018-11040

Abstract

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

The Oxygen products incorporate Spring Framework as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2018-11040

Severity: High

CVSS Score: 7.5

The Spring Framework third-party library used by Oxygen XML products is an affected version mentioned in CVE-2018-11040 vulnerability description. However, Oxygen Feedback does not use MappingJackson2JsonView nor enable JSONP support through AbstractJsonpResponseBodyAdvice. For that reason, we have rated the severity level for our products as low.

Starting with Oxygen Feedback v2.1 build 2022071516 Spring Framework library was updated to a non-vulnerable version.

LowResolved Oxygen Feedback v2.1 and older versions 2022-10-13 11:27:00
CVE-2022-23181

Abstract

The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.

The Oxygen products incorporate Apache Tomcat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-23181

Severity: High

CVSS Score: 7.0

The Apache Tomcat third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-23181 vulnerability description. However, the Oxygen products are not configured to persist sessions using the FileStore. For that reason, we have rated the severity level for our products as low.

Starting with Oxygen Feedback v2.1 Apache Tomcat library was updated to v9.0.58 which fixes this vulnerability.

Starting with Oxygen XML Web Author v24.1.0 Apache Tomcat library was updated to v9.0.59 which fixes this vulnerability.

LowResolved Oxygen Feedback v2.0.2 and older
Oxygen XML Web Author v24.0.0 and older
2022-10-13 11:08:00
CVE-2022-22978

Abstract

In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.

Detail

CVE-2022-22978

Severity: Critical

CVSS Score: 9.8

The Spring Security third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-22978 vulnerability description. However, Oxygen XML products do not invoke the RegexRequestMatcher method. For that reason, we have rated the severity level for our products as low.

LowResolved Oxygen Content Fusion v5.0 and older versions
Oxygen Feedback v2.1.1 and older versions
2022-09-28 10:27:00
CVE-2022-29162

Abstract

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes `runc exec --cap` behavior such that the additional capabilities granted to the process being executed (as specified via `--cap` arguments) do not include inheritable capabilities. In addition, `runc spec` is changed to not set any inheritable capabilities in the created example OCI spec (`config.json`) file.

Detail

CVE-2022-29162

Severity: High

CVSS Score: 7.8

The runc third-party library used by Oxygen Content Fusion product is an affected version mentioned in CVE-2022-29162 vulnerability description.

Starting with Oxygen Content Fusion v5.0 build 2022092005 runc has been removed to fix this vulnerability.

HighResolved Oxygen Content Fusion v5.0 and older versions 2022-09-28 10:27:00
CVE-2021-42550

Abstract

CVE-2021-42550.xml

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.

Detail

CVE-2021-42550

Severity: Low

CVSS Score: 6.6

The Apache Log4j2 third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-42550 vulnerability description. However, the vulnerability can be only eploited by modifying the logging configuration by a trusted party. For that reason, we are rated the severity level for our products as low.

LowResolved Oxygen Content Fusion v4.1 and older versions
Oxygen XML Web Author between 24.0 and older
Oxygen Feedback 2.0 and older
Oxygen XML Publishing Engine 24.0 and older
Oxygen PDF Chemistry 24.0
Oxygen XML Author 24.0 and older
Oxygen XML Developer 24.0 and older
Oxygen XML Editor 24.0 and older
2022-09-22 10:27:00
CVE-2022-31197

Abstract

PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on the ResultSet.

Detail

CVE-2022-31197

Severity: High

CVSS Score: 8.0

The PostgreSQL JDBC Driver third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-31197 vulnerability description. However, Oxygen XML products do not invoke the `ResultSet.refreshRow()` method. For that reason, we have rated the severity level for our products as low.

Starting with Oxygen Feedback version 2.1.3 build 2022091217, the PostgreSQL JDBC Driver was updated to version 42.4.1, which includes a fix for CVE-2022-31197.

Starting with Oxygen Content Fusion 5.0.1 build 2022092005, the PostgreSQL JDBC Driver was updated to version 42.4.1, which includes a fix for CVE-2022-31197.

LowResolved Oxygen Content Fusion v5.0 and older
Oxygen Feedback v2.1.2 and older
2022-09-13 11:28:00
CVE-2020-1695

Abstract

A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed.

The Oxygen products incorporate resteasy as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2020-1695

Severity: High

CVSS Score: 7.5

The resteasy third-party library used by Oxygen XML products is an affected version mentioned in CVE-2020-1695 vulnerability description.

Starting with Oxygen Web Author v24.1 build 2022070522 resteasy library was updated to version v4.6.0.Final which fixes this vulnerability.

Starting with Oxygen Content Fusion v5.0 build 2022092005 reasteasy library was updated to version v4.7.6 which fixes this vulnerability.

HighResolved Oxygen Content Fusion v4.1 and older
Oxygen XML Web Author v24.1.0 and older
2022-07-08 11:23:00
CVE-2022-26520

Abstract

In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties.

The Oxygen Content Fusion incorporates postgresql as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-26520

Severity: High

CVSS Score: 7.0

The postgresql third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-26520 vulnerability description. However, the Oxygen products are not configured to allow untrusted users to supply JDBC URLs or their properties. For that reason, we have rated the severity level for our products as low.

Starting with Oxygen Content Fusion v5.0 postgresql library was updated to v42.3.4 which fixes this vulnerability.

LowResolved Oxygen Content Fusion v4.1.6 and older 2022-05-27 10:08:00
CVE-2020-36518

Abstract

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

The jackson-databind package is vulnerable to a Denial of Service (DoS) attack. The deserialize() method in the UntypedObjectDeserializer and UntypedObjectDeserializer$Vanilla classes fails to restrict recursion when deserializing nested untyped or generic objects. A remote attacker who can supply data to be deserialized by an affected application can exploit this vulnerability to cause the JVM to consume all available memory, resulting in a StackOverflow exception and ultimately a DoS condition.

The Oxygen products incorporate jackson-databind as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2020-36518

Severity: High

CVSS Score: 7.5

The jackson-databind third-party library used by Oxygen XML products is an affected version mentioned in CVE-2020-36518 vulnerability description.

Starting with Oxygen Web Author v24.1.1 jackson-databind library was updated to a non-vulnerable version.

Starting with Oxygen Content Fusion v4.1 build 2022040914 jackson-databind library was updated to a non-vulnerable version.

HighResolved Oxygen XML Author v24.1 and older
Oxygen XML Developer v24.1 and older
Oxygen XML Editor v24.1 and older
Oxygen XML Web Author v24.1 and older
Oxygen Content Fusion v4.1 and older
Oxygen Publishing Engine v24.1 and older
Oxygen PDF Chemistry v24.1 and older
Oxygen Feedback v2.0 and older
Oxygen License Server v24.1 and older
2022-10-13 11:08:00
SYNC-2022-210409

Abstract

Vulnerabilities in Ubuntu server 20.04 used by Oxygen Content Fusion.

Syncro Soft engineers have addressed the following CVEs.

Vulnerabilities details

CVE-2022-1015

Severity: Critical

CVSS Score: 9.8

Description: An out of bounds access was discovered in nf_tables expression evaluation due to validation of user register indices. It leads to local privilege escalation, for example by overwriting a stack return address OOB with a crafted nft_expr_payload.

CVE-2021-3653

Severity: Critical

CVSS Score: 8.8

Description: A flaw was found in the KVM’s AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the “int_ctl” field, this issue could allow a malicious L1 to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to 5.14-rc7.

CVE-2021-3656

Severity: Critical

CVSS Score: 8.8

Description: A flaw was found in the KVM’s AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the “virt_ext” field, this issue could allow a malicious L1 to disable both VMLOAD/VMSAVE intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape.

CVE-2022-0185

Severity: Critical

CVSS Score: 8.4

Description: A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system.

CVE-2021-3492

Severity: High

CVSS Score: 7.8

Description: Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (kernel memory exhaustion) or gain privileges via executing arbitrary code. AKA ZDI-CAN-13562.

CVE-2021-3493

Severity: High

CVSS Score: 7.8

Description: The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could use this to gain elevated privileges.

CVE-2021-22555

Severity: High

CVSS Score: 7.8

Description: A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space.

CVE-2021-27365

Severity: High

CVSS Score: 7.8

Description: An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message.

CVE-2021-29154

Severity: High

CVSS Score: 7.8

Description: BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c.

CVE-2021-33909

Severity: High

CVSS Score: 7.8

Description: fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05.

CVE-2021-3444

Severity: High

CVSS Score: 7.8

Description: The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution.

CVE-2022-0492

Severity: High

CVSS Score: 7.8

Description: A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.

CVE-2022-25636

Severity: High

CVSS Score: 7.8

Description: net/netfilter/nf_dup_netdev.c in the Linux kernel 5.4 through 5.6.10 allows local users to gain privileges because of a heap out-of-bounds write. This is related to nf_tables_offload.

CVE-2022-1055

Severity: High

CVSS Score: 7.8

Description: A use-after-free exists in the Linux Kernel in tc_new_tfilter that could allow a local attacker to gain privilege escalation. The exploit requires unprivileged user namespaces.

CVE-2021-3600

Severity: High

CVSS Score: 7.8

Description: It was discovered that the eBPF implementation in the Linux kernel did not properly track bounds information for 32 bit registers when performing div and mod operations. A local attacker could use this to possibly execute arbitrary code.

CVE-2021-3609

Severity: High

CVSS Score: 7.0

Description: A flaw was found in the CAN BCM networking protocol in the Linux kernel, where a local attacker can abuse a flaw in the CAN subsystem to corrupt memory, crash the system or escalate privileges. This race condition in net/can/bcm.c in the Linux kernel allows for local privilege escalation to root.

Starting with Oxygen Content Fusion version 4.1.6 build number 2022040914, the affected packages were updated and all vulnerabilities were fixed.

LowResolved Oxygen Content Fusion v4.1.5 and older 2022-04-26 10:08:00
CVE-2021-44906

Abstract

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

The Oxygen products incorporate Minimist as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-44906

Severity: Critical

CVSS Score: 9.8

The Minimist third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-44906 vulnerability description. However, the Oxygen Feedback product does not pass data from untrusted sources to this library. For that reason, we have rated the severity level for our products as low.

LowResolved Oxygen Feedback v2.0.2 and older 2022-04-14 10:10:00
CVE-2022-22965

Abstract

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

The Oxygen products incorporate Spring MVC as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-22965

Severity: Critical

CVSS Score: 9.8

The Spring MVC third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-22965 vulnerability description. However, the Oxygen Feedback product is not available as a WAR file. For that reason, our products are not affected by this vulnerability.

NoneResolved Oxygen Feedback v2.0.2 and older 2022-04-05 09:10:00
SYNC-2022-1003

Abstract

The jackson-databind package is vulnerable to a Denial of Service (DoS) attack. The readExternal() method in the NodeSerialization class fails to restrict allocation when JsonNode objects are serialized/deserialized by the JDK.

The Oxygen XML products incorporate jackson-databind as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

SYNC-2022-1003

Severity: High

CVSS Score: 7.5

The jackson-databind third-party library used by Oxygen XML products is an affected version mentioned in SYNC-2022-1003 vulnerability description. However, this library is not used to serialize/deserialize JsonNode objects from untrusted sources. For that reason, we have rated the severity level for our products as low.

LowResolved Oxygen XML Author v24.0 and older
Oxygen XML Developer v24.0 and older
Oxygen XML Editor v24.0 and older
Oxygen Content Fusion v4.1.5 and older
Oxygen Web Author v24.0 and older
Oxygen Feedback v2.0.1 and older
Oxygen Publishing Engine v24.0 and older
Oxygen License Server v24.0 and older
Oxygen PDF Chemistry v24.0 and older
2022-03-10 09:15:00
CVE-2021-28165

Abstract

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

The Oxygen License Server product incorporates Eclipse Jetty as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-28165

Severity: High

CVSS Score: 7.5

The Eclipse Jetty package used by Oxygen License Server product is an affected version mentioned in CVE-2021-28165 vulnerability description.

Starting with Oxygen License Server version 24.1, the Eclipse Jetty was updated to version 9.4.45.v20220203, which includes a fix for CVE-2021-41303.

LowResolved Oxygen License Server v24.0 and older 2022-03-10 09:15:00
CVE-2022-21724

Abstract

pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties.

The Oxygen Content Fusion product incorporates shelljs as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-21724

Severity: Critical

CVSS Score: 9.8

The postgresql package used by Oxygen Content Fusion product is an affected version mentioned in CVE-2022-21724 vulnerability description. However, the configuration files cannot be changed by untrusted users. For that reason, we have rated the severity level for our products as low.

LowResolved Oxygen Content Fusion v4.1.5 and older
2022-03-10 09:15:00
CVE-2022-0144

Abstract

The shelljs package is vulnerable due to Improper Privilege Management. The execSync() function in the exec.js file does not properly ensure if a user is authorized to read and write to the paramFiles, stdoutFile and stderrFile before allowing the user to access them. A local attacker with low privileges can exploit this behavior to obtain sensitive information from the aforementioned files. The attacker can also create a stdoutFile or stderrFile first, which will crash the exec process when it tries to write to these files, resulting in a Denial of Service (DoS) condition.

The Oxygen Content Fusion product incorporates shelljs as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2022-0144

Severity: High

CVSS Score: 7.1

The shelljs third-party library used by Oxygen Content Fusion product is an affected version mentioned in CVE-2022-0144 vulnerability description. However, the shelljs library is used only for backup restore and it is executed into an isolated container that is not available to untrusted users. For that reason, we have rated the severity level for our products as low.

LowResolved Oxygen Content Fusion v4.1.5 and older
2022-03-10 09:15:00
CVE-2021-42392

Abstract

The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.

The Oxygen XML products incorporate H2 database as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-42392

Severity: Critical

CVSS Score: 9.8

The H2 database third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-42392 vulnerability description. However, the H2 console is not available for untrusted users. For that reason, we have rated the severity level for our products as low.

LowResolved Oxygen Content Fusion v4.1.5 and older
Oxygen Web Author v24.0 and older
Oxygen License Server v24.0 and older
2022-03-10 09:15:00
CVE-2021-23463

Abstract

The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.

The Oxygen License Server product incorporates com.h2database:h2 as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-23463

Severity: Critical

CVSS Score: 9.1

The com.h2database:h2 third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-23463 vulnerability description. However, this library is not used to parse XML data from untrusted sources. For that reason, we have rated the severity level for our products as low.

LowResolved Oxygen License Server v24.0 2022-02-08 09:15:00
CVE-2018-7489

Abstract

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

The Oxygen products incorporate FasterXML jackson-databind as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2018-7489

Severity: Critical

CVSS Score: 9.8

The FarsterXML jackson-databind third-party library used by Oxygen XML products is an affected version mentioned in CVE-2018-7489 vulnerability description. However, c3p0 libraries are not available in the Oxygen XML products classpath. For that reason, we have rated the severity level for our products as low.

LowResolved Oxygen XML Web Author v22.1.0 2022-01-19 09:15:00
CVE-2019-10172

Abstract

A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.

The Oxygen products incorporate Jackson as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2019-10172

Severity: High

CVSS Score: 7.5

The Jackson third-party library used by Oxygen XML products is an affected version mentioned in CVE-2019-10172 vulnerability description.

Starting with Oxygen XML Web Author v23.1 Jackson library was updated to v2.11.0 which fixes this vulnerability.

HighResolved Oxygen XML Web Author v22.1.0 2022-01-19 09:15:00
CVE-2020-11988

Abstract

Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. Users should upgrade to 2.6 or later.

The Oxygen PDF Chemistry product incorporates the Apache XmlGraphics Commons 2.4 as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2020-11988

Severity: High

CVSS Score: 8.2

The Apache XmlGraphics Commons third-party library used by Oxygen PDF Chemistry product is an affected version mentioned in CVE-2020-11988 vulnerability description.

Starting with Oxygen PDF Chemistry v22.1 build 2021121712, the Apache XmlGraphics Commons library was updated to version 2.6 which fixes this vulnerability.

HighResolved Oxygen PDF Chemistry v22.0 and v22.1 2022-01-19 09:15:00
CVE-2021-32626

Abstract

Redis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. This can result with heap corruption and potentially remote code execution. This problem exists in all versions of Redis with Lua scripting support, starting from 2.6. The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14. For users unable to update an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

The Oxygen XML products incorporate Redis as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-32626

Severity: High

CVSS Score: 8.8

The Redis third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-32626 vulnerability description. However, execution of Lua scripts is disabled in our products. For that reason, we have rated the severity level for our products as low.

LowResolved Oxygen Content Fusion 4.1 and older 2022-01-19 09:15:00
CVE-2021-44832

Abstract

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

The Oxygen XML products incorporate the Apache Log4j2 as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-44832

Severity: Medium

CVSS Score: 6.6

The Apache Log4j2 third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-44832 vulnerability description. However, our default configuration does not use JDBC Appender with a data source referencing a JNDI URI and can be only exploited by modifying the logging configuration by a trusted party. For that reason, we have rated the severity level for our products as low.

LowResolved Oxygen Content Fusion 4.1 and older
Oxygen XML Web Author between 22.1 and 24.0.0
Oxygen Feedback 2.0 and older
Oxygen XML Publishing Engine between 22.1 and 24.0
Oxygen XML WebHelp between 22.1 and 24.0
Oxygen PDF Chemistry between 22.1 and 24.0
Oxygen License Server between 22.1 and 24.0
Oxygen XML Author between 16.1 and 24.0
Oxygen XML Developer between 16.1 and 24.0
Oxygen XML Editor between 16.1 and 24.0
2022-01-19 09:15:00
CVE-2021-4104

Abstract

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

The Oxygen XML products incorporate the Apache Log4j2 as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-4104

Severity: High

CVSS Score: 8.1

The Apache Log4j third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-4104 vulnerability description. However, our default configuration does not use JSM Appender and the vulnerability can be only exploited by modifying the logging configuration by a trusted party. For that reason, we have rated the severity level for our products as low.

LowResolved Oxygen Content Fusion v2.0.3 2021-12-29 14:10:30
CVE-2021-45105

Abstract

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.

The Oxygen XML products incorporate the Apache Log4j2 as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-45105

Severity: High

CVSS Score: 7.5

The Apache Log4j2 third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-45105 vulnerability description. However, our default configuration does not change the Pattern Layout and the vulnerability can be only exploited by modifying the logging configuration by a trusted party. For that reason, we have rated the severity level for our products as low.

LowResolved Oxygen Content Fusion 4.1 and older
Oxygen XML Web Author between 22.1 and 24.0.0
Oxygen Feedback 1.4.4 and older
Oxygen XML Publishing Engine between 22.1 and 24.0
Oxygen XML WebHelp between 22.1 and 24.0
Oxygen PDF Chemistry between 22.1 and 24.0
Oxygen License Server between 22.1 and 24.0
Oxygen XML Author between 16.1 and 24.0
Oxygen XML Developer between 16.1 and 24.0
Oxygen XML Editor between 16.1 and 24.0
2021-12-21 10:15:30
CVE-2020-11987

Abstract

Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

The Oxygen PDF Chemistry product incorporates the Apache Batik 1.13 as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2020-11987

Severity: High

CVSS Score: 8.2

The Apache Batik third-party library used by Oxygen PDF Chemistry product is an affected version mentioned in CVE-2020-11987 vulnerability description. However, NodePickerPanel class is not used in Oxygen PDF Chemistry. Therefore Oxygen PDF Chemistry product is not affected by CVE-2020-11987.

LowResolved Oxygen PDF Chemistry between v22.1 and v24.0 2022-01-19 09:15:00
CVE-2021-45046

Abstract

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability.

The Oxygen XML products incorporate the Apache Log4j2 as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-45046

Severity: Critical

CVSS Score: 9.0

The Apache Log4j2 third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-45046 vulnerability description. However, our default configuration doe not change the Pattern Layout and the vulnerability can be only exploited by modifying the logging configuration by a trusted party. For that reason, we have rated the severity level for our products as low.

LowResolved Oxygen Content Fusion 4.1 and older
Oxygen XML Web Author between 22.1 and 24.0.0
Oxygen Feedback 1.4.5 and older
Oxygen XML Publishing Engine 24.0 and older
Oxygen XML WebHelp 24.0 and older
Oxygen PDF Chemistry 24.0 and older
Oxygen License Server 24.0 and older
Oxygen XML Author 24.0 and older
Oxygen XML Developer 24.0 and older
Oxygen XML Editor 24.0 and older
2021-12-15 12:43:30
CVE-2021-44228

Abstract

Apache Log4j2 <= 2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

The Oxygen XML products incorporate the Apache Log4j2 as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

See also https://www.oxygenxml.com/oxygen_xml_vulnerability_analysis_faq.html for more information.

Detail

CVE-2021-44228

Severity: Critical

CVSS Score: 10

The Apache Log4j2 third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-44228 vulnerability description. However, we patched our public services against this vulnerability.

CriticalResolved Oxygen Content Fusion 4.1 and older
Oxygen XML Web Author between 22.1 and 24.0.0
Oxygen Feedback 1.4.4 and older
Oxygen XML Publishing Engine between 22.1 and 24.0
Oxygen XML WebHelp between 22.1 and 24.0
Oxygen PDF Chemistry between 22.1 and 24.0
Oxygen License Server between 22.1 and 24.0
Oxygen XML Author between 16.1 and 24.0
Oxygen XML Developer between 16.1 and 24.0
Oxygen XML Editor between 16.1 and 24.0
2021-12-10 18:56:21
SYNC-2021-2610

Abstract

The logback-core package is vulnerable to XML eXternal Entity (XXE) attacks. An attacker can exploit this vulnerability by supplying XML data with a Document Type Definition (DTD) that contains malicious external entity references.

The Oxygen Feedback product incorporates the logback-core as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

SYNC-2021-2610

Severity: High

CVSS Score: 8.6

The logback-core third-party library used by Oxygen Feedback product is an affected version mentioned in SYNC-2021-2610 vulnerability description. However, Oxygen Feedback does not accept XML data as user input. Therefore Oxygen Feedback product is not impacted by SYNC-2021-2610.

Starting with Oxygen Feedback version 1.4.4, the logback-core was updated to version 1.2.6, which includes a fix for SYNC-2021-2610.

LowResolved Oxygen Feedback 1.4.3 and older versions 2021-12-10 12:23:46
CVE-2021-37714

Abstract

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack.

The Oxygen Feedback product incorporates the jsoup as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-37714

Severity: High

CVSS Score: 7.5

The jsoup third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2021-37714 vulnerability description.

Starting with Oxygen Feedback version 1.4.4, the jsoup was updated to version 1.14.2, which includes a fix for CVE-2021-37714.

HighResolved Oxygen Feedback 1.4.3 and older versions 2021-12-10 10:49:11
CVE-2021-43466

Abstract

In the thymeleaf-spring5:3.0.12 component, thymeleaf combined with specific scenarios in template injection may lead to remote code execution.

The Oxygen XML products incorporate the thymeleaf-spring as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-43466

Severity: Critical

CVSS Score: 9.8

The thymeleaf-spring third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2021-43466 vulnerability description. However, the Oxygen XML software products doesn't render templetes supplied by users. Therefore Oxygen XML software products are not impacted by CVE-2021-43466.

Starting with Oxygen Feedback version 1.4.4, the thymeleaf-spring package was updated to version 3.0.13, which includes a fix for this vulnerability.

LowResolved Oxygen Feedback 1.4.3 and older versions 2021-12-10 10:21:15
CVE-2021-37137

Abstract

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

The Oxygen XML products incorporates the Netty as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-37137

Severity: High

CVSS Score: 7.5

The Netty third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2021-37137 vulnerability description. However, the Oxygen XML software products doesn't use Netty to decompress user-supplied Snappy data streams. Therefore Oxygen XML software products are not impacted by CVE-2021-37137.

LowResolved Oxygen Content Fusion 4.1 and older versions 2021-12-08 14:45:15
CVE-2021-37136

Abstract

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack.

The Oxygen XML products incorporates the Netty as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-37136

Severity: High

CVSS Score: 7.5

The Netty third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2021-37136 vulnerability description. However, the Oxygen XML software products doesn't use Netty to decompress user-supplied Bzip2 data streams. Therefore Oxygen XML software products are not impacted by CVE-2021-37136.

LowResolved Oxygen Content Fusion 4.1 and older versions 2022-10-13 11:50:15
CVE-2020-25638

Abstract

A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.

The Oxygen XML products incorporate the hibernate-core as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2020-25638

Severity: High

CVSS Score: 7.4

The hibernate-core third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2020-25638 vulnerability description. However, the Oxygen XML software products doesn't set hibernate.use_sql_comments to true. Therefore Oxygen XML software products are not impacted by CVE-2020-25638.

Starting with Oxygen Content Fusion version 4.1, the hibernate-core package was updated to version 5.4.24, which includes a fix for this vulnerability.

LowResolved Oxygen Content Fusion 4.1 and older versions 2021-12-08 13:21:15
CVE-2020-17523

Abstract

Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.

The Oxygen XML products incorporates the Apache Shiro as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2020-17523

Severity: Critical

CVSS Score: 9.8

The Apache Shiro third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2020-17523 vulnerability description. However, Spring is not included in Oxygen XML software products. Therefore Oxygen XML software products are not impacted by CVE-2020-17523.

Starting with Oxygen Content Fusion version 4.1, the Apache Shiro was updated to version 1.8, which includes a fix for CVE-2020-17523.

LowResolved Oxygen Content Fusion 4.1 and older versions 2021-12-08 13:21:15
CVE-2018-1294

Abstract

If a user of Apache Commons Email (typically an application programmer) passes unvalidated input as the so-called "Bounce Address", and that input contains line-breaks, then the email details (recipients, contents, etc.) might be manipulated.

The Oxygen XML products incorporates the Apache Commons Email as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2018-1294

Severity: high

CVSS Score: 7.5

The Apache Commons Email third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2018-1294 vulnerability description. However, the Oxygen XML software products validate input before being passed to Email.setBounceAddress(String). Therefore Oxygen XML software products are not impacted by CVE-2018-1294.

Starting with Oxygen Content Fusion version 4.1, the Apache Commons Email was updated to version 1.5, which includes a fix for CVE-2018-1294.

LowResolved Oxygen Content Fusion 4.1 and older versions 2021-12-08 12:39:11
CVE-2017-9801

Abstract

When a call-site passes a subject for an email that contains line-breaks in Apache Commons Email 1.0 through 1.4, the caller can add arbitrary SMTP headers.

The Oxygen XML products incorporates the Apache Commons Email as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2017-9801

Severity: high

CVSS Score: 7.5

The Apache Commons Email third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2017-9801 vulnerability description.

Starting with Oxygen Content Fusion version 4.1, the Apache Commons Email was updated to version 1.5, which includes a fix for CVE-2017-9801.

HighResolved Oxygen Content Fusion 4.1 and older versions 2021-12-08 11:32:11
CVE-2017-18640

Abstract

SnakeYAML is vulnerable to a denial of service, caused by an entity expansion in Alias feature during a load operation.

The Oxygen XML products incorporates the SnakeYAML as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2017-18640

Severity: high

CVSS Score: 7.5

The SnakeYAML third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2017-18640 vulnerability description. However, the Oxygen XML software products use SnakeYAML only to generate YAML files, not to parse YAML files. Therefore Oxygen XML software products are not impacted by CVE-2017-18640.

Starting with Oxygen Content Fusion version 4.1, the SnakeYAML library was removed.

LowResolved Oxygen Content Fusion 4.1 and older versions 2021-12-08 11:24:11
CVE-2021-42340

Abstract

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

The Oxygen Feedback product incorporates the Apache Tomcat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-42340

Severity: high

CVSS Score: 7.5

The Apache Tomcat 9.0.52 third-party library used by Oxygen Feedback products is an affected version mentioned in CVE-2021-42340 vulnerability description.

Starting with Oxygen Feedback version 1.4.4, the Apache Tomcat was updated to version 9.0.54, which includes a fix for CVE-2021-42340.

Starting with Oxygen XML Web Author version 23.1 build 2021112409, the Apache Tomcat was updated to version 9.0.55, which includes a fix for CVE-2021-42340.

HighResolved Oxygen XML Web Author 23.1 and older versions 2021-12-06 16:21:11
CVE-2021-40690

Abstract

All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the secureValidation property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

The Apache Santuario - XML Security package is vulnerable to Information Exposure. A remote attacker can exploit this behavior to extract any local .xml files during an XPath transform using the RetrievalMethod element. This would result in the attacker gaining access to otherwise restricted information on an application using this package to implement XML security standards.

The Oxygen XML products incorporates the Apache Santuario - XML Security as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-40690

Severity: High

CVSS Score: 7.5

The Apache Santuario - XML Security third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2021-40690 vulnerability description.

Starting with Oxygen XML version 24.0, the Apache Santuario - XML Security was updated to version 2.1.7, which includes a fix for CVE-2021-40690.

MediumResolved Oxygen XML Editor 23.1 and older versions
Oxygen XML Developer 23.1 and older versions
Oxygen XML Author 23.1 and older versions
2021-10-18 14:27:09
CVE-2021-41303

Abstract

Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass.

The Oxygen XML Web Author products incorporates the Apache Shiro as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-41303

Severity: Critical

CVSS Score: 9.8

The Apache Shiro third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2021-41303 vulnerability description. However, Spring Boot is not included in Oxygen XML software products. Therefore Oxygen XML software products are not impacted by CVE-2021-41303.

Starting with Oxygen XML Web Author version 24.0, the Apache Shiro was updated to version 1.8.0, which includes a fix for CVE-2021-41303.

LowResolvedOxygen XML Web Author 23.1 and older2021-10-18 12:21:11
CVE-2021-41079

Abstract

Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.

The Apache tomcat-coyote package is vulnerable to a Denial of Service (DoS) attack. A remote attacker can exploit this vulnerability by issuing a maliciously crafted packet in order to cause an infinite loop and ultimately a DoS condition.

The Oxygen XML products incorporates the Apache Tomcat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-41079

Severity: High

CVSS Score: 7.5

The Apache Tomcat third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2021-41079 vulnerability description.

Starting with Oxygen XML Web Author version 24.0, the Apache Tomcat was updated to version 9.0.53, which includes a fix for CVE-2021-41079.

HighResolvedOxygen XML Web Author 23.1 and older2021-10-18 17:22:11
SYNC-2021-2809

Abstract

The logback-core package is vulnerable to XML eXternal Entity (XXE) attacks. The buildSaxParser() method in the SaxEventRecorder class processes malicious external entities by default due to an unsafe XML parser configuration.

The Oxygen XML products incorporates the logback-core as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

SYNC-2021-2809

Severity: Medium

CVSS Score: 5.1

The logback-core third-party library used by Oxygen XML software products is an affected version.

Starting with Oxygen 24.0, the logback-core was updated to version 1.2.6, which fixes this vulnerability.

MediumResolved Oxygen XML Editor 23.1 and older versions
Oxygen XML Developer 23.1 and older versions
Oxygen XML Author 23.1 and older versions
Oxygen Publishing Engine 23.1 and older versions
2021-10-18 14:27:09
SYNC-2021-072301

Abstract

There is a JavaScript injection vulnerability in WebHelp output. Using XSS attack, an attacker may inject Javascript code by typing specific expression in search field. This exploit requires a user to be tricked into executing malicious code, by searching for specific text.

Detail

SYNC-2021-072301

Severity: Medium

CVSS Score: 5.5

Oxygen XML WebHelp output is vulnerable to cross-site scripting. This vulnerability allows users to inject arbitrary JavaScript code in the WebHelp output thus altering the intended functionality.

To fix this vulnerability, you need to:

  • Update your products to a non-vulnerable version.
  • Replace the WebHelp outputs that were previously generated using one of the affected products with freshly generated ones.

The vulnerability has been fixed in version 22.1 starting with build 2021082013 and version 23.1 starting with build 2021082307.

MediumResolved Oxygen XML Editor 23.1 and older versions
Oxygen XML Developer 23.1 and older versions
Oxygen XML Author 23.1 and older versions
Oxygen Publishing Engine 23.1 and older versions
Oxygen XML WebHelp 23.1 and older versions
2022-07-13 114:35:02
CVE-2018-18928

Abstract

International Components for Unicode (ICU) for C/C++ 63.1 has an integer overflow in number::impl::DecimalQuantity::toScientificString() in i18n/number_decimalquantity.cpp.

Detail

CVE-2018-18928

Severity: Critical

CVSS Score: 9.8

The International Components for Unicode (ICU) package used by Oxygen XML software products is an affected version mentioned in CVE-2018-18928 vulnerability description.

Starting with version 23.1 build 2021082307, the International Components for Unicode (ICU) package was updated to version 69.1, which includes a fix for this vulnerability.

MediumResolved Oxygen XML Editor 23.1 and older versions
Oxygen XML Developer 23.1 and older versions
Oxygen XML Author 23.1 and older versions
2021-08-25 10:53:04
CVE-2021-36090

Abstract

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

Detail

CVE-2021-36090

Severity: High

CVSS Score: 7.5

The Apache Commons Compress package used by Oxygen XML software products is an affected version mentioned in
CVE-2021-36090 vulnerability description.

Starting with version 23.1 build 2021082307, the Apache Commons Compress package was updated to version 1.21, which includes a fix for this vulnerability.

MediumResolved Oxygen XML Editor 23.1 and older versions
Oxygen XML Developer 23.1 and older versions
Oxygen XML Author 23.1 and older versions
2021-08-25 10:30:34
CVE-2021-35517

Abstract

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

Detail

CVE-2021-35517

Severity: High

CVSS Score: 7.5

The Apache Commons Compress package used by Oxygen XML software products is an affected version mentioned in
CVE-2021-35517 vulnerability description.

Starting with version 23.1 build 2021082307, the Apache Commons Compress package was updated to version 1.21, which includes a fix for this vulnerability.

LowResolved Oxygen XML Editor 23.1 and older versions
Oxygen XML Developer 23.1 and older versions
Oxygen XML Author 23.1 and older versions
2021-08-25 10:46:30
CVE-2021-35516

Abstract

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Detail

CVE-2021-35516

Severity: High

CVSS Score: 7.5

The Apache Commons Compress package used by Oxygen XML software products is an affected version mentioned in
CVE-2021-35516 vulnerability description.

Starting with version 23.1 build 2021082307, the Apache Commons Compress package was updated to version 1.21, which includes a fix for this vulnerability.

LowResolved Oxygen XML Editor 23.1 and older versions
Oxygen XML Developer 23.1 and older versions
Oxygen XML Author 23.1 and older versions
2021-08-25 10:41:20
CVE-2021-35515

Abstract

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress sevenz package.

Detail

CVE-2021-35515

Severity: High

CVSS Score: 7.5

The Apache Commons Compress package used by Oxygen XML software products is an affected version mentioned in
CVE-2021-35515 vulnerability description.

Starting with version 23.1 build 2021082307, the Apache Commons Compress package was updated to version 1.21, which includes a fix for this vulnerability.

LowResolved Oxygen XML Editor 23.1 and older versions
Oxygen XML Developer 23.1 and older versions
Oxygen XML Author 23.1 and older versions
2021-08-25 10:33:45
CVE-2021-33910

Abstract

basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 has a Memory Allocation with an Excessive Size Value (involving strdupa and alloca for a pathname controlled by a local attacker) that results in an operating system crash.

Detail

CVE-2021-33910

Severity: Medium

CVSS Score: 5.5

The systemd package used by Oxygen Content Fusion software product is an affected version mentioned in CVE-2021-33910 vulnerability description.

Starting with version 4.1.1 build 2021080611, the systemd package was updated to version 245.4-4ubuntu3.11, which includes a fix for CVE-2021-33910.

MediumResolvedOxygen Content Fusion 4.1 and older versions 2021-08-19 13:27:26
CVE-2021-23337

Abstract

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

The Oxygen Content Fusion product incorporates Lodash as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-23337

Severity: High

CVSS Score: 7.2

The Lodash third-party library used by Oxygen Content Fusion product is an affected version mentioned in CVE-2021-23337 vulnerability description.

Starting with Content Fusion version 4.1 build 2021070912, the Lodash third-party was updated to version 4.17.21, which fixes the CVE-2021-23337.

MediumResolvedOxygen Content Fusion 4.1 and older versions 2021-07-12 15:36:18
CVE-2021-25329

Abstract

The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494.

The tomcat-catalina package is vulnerable to Remote Code Execution (RCE). The file() method in the FileStore class fails to sufficiently enforce the current FileStore directory when creating a File object, allowing Tomcat instances with certain configurations to deserialize objects from files outside of the file store. An attacker with knowledge of the FileStore location and control of the file passed into the FileStore object as input may submit a maliciously crafted request to trigger arbitrary code execution on affected Tomcat servers.

The Oxygen Feedback product incorporates the Apache Tomcat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-25329

Severity: High

CVSS Score: 7.0

The Apache Tomcat 9.0.41 third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2021-25329 vulnerability description.

Starting with Oxygen Feedback 1.4.1, the Apache Tomcat was updated to version 9.0.44, which includes a fix for CVE-2021-25329.

MediumResolvedOxygen Feedback 1.4 and older versions2021-04-13 10:30:18
CVE-2021-25122

Abstract

When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.

The tomcat-coyote package is vulnerable to Information Exposure. The process method in AbstractProtocol.class does not properly handle HTTP/2 Cleartext (h2c) connections between multiple clients, responding with the request headers and partial body of one connection to another. An attacker can exploit this to gain access to sensitive information meant for a different client.

The Oxygen Feedback product incorporates the Apache Tomcat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-25122

Severity: High

CVSS Score: 7.5

The Apache Tomcat 9.0.41 third-party library used by Oxygen Feedback software products is an affected version mentioned in CVE-2021-25122 vulnerability description.

Starting with Oxygen Feedback 1.4.1, the Apache Tomcat was updated to version 9.0.44, which includes a fix for CVE-2021-25122.

MediumResolvedOxygen Feedback 1.4 and older versions2021-04-13 14:43:15
CVE-2021-22112

Abstract

Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.

The spring-security-web package is vulnerable to Improper Authorization. The saveContext() method in the HttpSessionSecurityContextRepository class and the contextChanged() method in the HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper class fail to store the HttpSession if the SecurityContext is altered more than once per request. An attacker can leverage this behavior to extend the scope of their existing privileges in order to access functionality that would otherwise be restricted.

The Oxygen Feedback product incorporates the Spring Framework as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2021-22112

Severity: High

CVSS Score: 8.8

The Spring Security 5.4.2 module (part of Spring Framework) third-party library used by Oxygen Feedback software products is an affected version mentioned in CVE-2021-22112 vulnerability description.

Starting with Oxygen Feedback 1.4.1, the Spring Security module was updated to version 5.4.5, which includes a fix for CVE-2021-22112.

MediumResolvedOxygen Feedback 1.4 and older versions2021-04-13 16:35:20
CVE-2020-13936

Abstract

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

Apache Velocity is vulnerable to Code Injection. The checkObjectExecutePermission method in SecureIntrospectorImpl.class fails to deny access to java.lang.ClassLoader methods. An attacker with template modification abilities can exploit this to execute arbitrary code using a maliciously crafted template when Velocity templates are used in the context of a VelocityView.

The Oxygen product incorporates Velocity as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2020-13936

Severity: High

CVSS Score: 8.8

The Velocity third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2020-13936 vulnerability description.

LowResolved Oxygen XML Editor 23.1 and older versions
Oxygen XML Developer 23.1 and older versions
Oxygen XML Author 23.1 and older versions
2021-04-12 10:15:21
SYNC-2021-031201

Abstract

The express package is vulnerable to HTTP Response Splitting. The redirect() function in the file response.js allows Carriage Return and Line Feed (CRLF) characters in the user input, which is then injected into the HTTP response. A remote attacker can exploit the vulnerability by crafting user input with the CRLF characters which will allow the attacker to set arbitrary HTTP response headers and control the body of the HTTP response. Likewise, any sensitive information, such as authentication tokens that are returned in the HTTP response sequentially after the injection point, will be accessible to the attacker.

The Oxygen Content Fusion product incorporates the express package as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

SYNC-2021-031201

Severity: High

CVSS Score: 7.5

While there is no non-vulnerable version of this component the vulnerability was fixed at the runtime level, within NodeJS itself.

All versions of Oxygen Content Fusion are using a NodeJS version newer than 0.9.4.

Therefore, the Oxygen Content Fusion product is not affected by this vulnerability.

LowResolvedOxygen Content Fusion 4.0 and older versions2021-03-12 15:32:17
CVE-2020-36048

Abstract

Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.

The engine.io package is vulnerable to Denial of Service (DoS) attacks. The constructor in server.js declares an insecure buffer limit of 100mb for requests. A remote attacker can exploit this vulnerability by leveraging the long polling transport to submit a large POST payload that may encapsulate multiple malicious packets. Processing this payload will cause the application to consume all available resources, ultimately resulting in a DoS condition.

The Oxygen Content Fusion product incorporates the engine.io as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2020-36049

Severity: High

CVSS Score: 7.5

The engine.io package third-party library used by Oxygen Content Fusion software product is an affected version mentioned in CVE-2020-36048 vulnerability description.

Starting with Oxygen Content Fusion 4.0, we have limited the maximum size of a package to 1MB.

Therefore, the Oxygen Content Fusion product is not impacted by CVE-2020-36048.

MediumResolvedOxygen Content Fusion 3.0 and older versions2021-03-09 10:43:11
CVE-2020-36049

Abstract

socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.

The socket.io-parser package is vulnerable to Denial of Service (DoS). The decodeString() function in index.js fails to parse large remote strings passed into the application for decoding due to unnecessary memory allocation leading to Uncontrolled Resource Consumption. A remote attacker with control over the input string being decoded by the library may craft a malicious string that would cause an application using the socker.io-parser package to crash.

The Oxygen Content Fusion product incorporates the socket.io-parser as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2020-36049

Severity: High

CVSS Score: 7.5

The socket.io-parser package third-party library used by Oxygen Content Fusion software product is an affected version mentioned in CVE-2020-36049 vulnerability description.

Starting with Oxygen Content Fusion 4.0, we have limited the maximum size of a package to 1MB.

Therefore, the Oxygen Content Fusion product is not impacted by CVE-2020-36049.

MediumResolvedOxygen Content Fusion 3.0 and older versions2021-03-09 12:18:30
CVE-2016-1000027

Abstract

Pivotal Spring Framework 4.1.4 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.

The org.springframework:spring-web package is vulnerable to deserialization of untrusted data leading to Remote Code Execution (RCE). The readRemoteInvocation method in HttpInvokerServiceExporter.class does not properly verify or restrict untrusted objects prior to deserializing them. An attacker can exploit this vulnerability by sending malicious requests containing crafted objects, which when deserialized, execute arbitrary code on the vulnerable system.

The Oxygen Feedback product incorporates the Spring Framework as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Detail

CVE-2016-1000027

Severity: High

CVSS Score: 9.8

The Spring Web 5.2.9.RELEASE module(part of Spring Framework) third-party library used by Oxygen Feedback software products is an affected version mentioned in CVE-2016-1000027 vulnerability description. However, the Oxygen Feedback product is not affected by this vulnerability because the HttpInvokerServiceExporter class is not used.

Starting with Oxygen Feedback 1.3.1, the Spring Web module was rebuilt after we removed the classes and packages (org.springframework.remoting.caucho, org.springframework.remoting.httpinvoker) where the vulnerability was reported.

Therefore, the Oxygen Feedback product is not impacted by CVE-2016-1000027.

MediumResolvedOxygen Feedback 1.32020-11-03 16:14:14
CVE-2020-1938

Abstract

Apache Software Foundation (ASF) officially released a security advisory, announcing that Apache Tomcat is susceptible to a vulnerability which could allow for reading of arbitrary files on the affected system (CVE-2020-1938). The vulnerability exists in the Apache JServ Protocol (AJP) protocol, which is enabled by default and listens on all configured IP addresses. Successful exploitation of the vulnerability could allow an attacker to read arbitrary files on the affected server. This affects Apache Tomcat versions 6.x, 7.x less than 7.0.100, 8.x less than 8.5.51 and 9.x less than 9.0.31.

Multiple Oxygen XML products incorporate Apache Tomcat. This advisory was opened to address the potential impact on this vulnerability.

Detail

CVE-2020-1938

Severity: High

CVSS Score: 9.8

Apache Tomcat used by Oxygen XML software products has an affected version mentioned in CVE-2020-1938 vulnerability description. However, the AJP Connector (where the vulnerability exists) is not enabled and used in Oxygen XML software products. Therefore Oxygen XML software products are not impacted by CVE-2020-1938.

MediumResolved Oxygen XML Web Author 22.0.0 and older versions
Oxygen Content Fusion 1.2 and older versions
2020-04-07 16:00:00
CVE-2019-17571

Abstract

On December 19, 2019, Apache Software Foundation (ASF) officially released a security advisory, announcing that Apache Log4j has a deserialization issue that could cause remote code execution (CVE-2019-17571). Log4j is a Java-based open-source logging tool that includes a SocketServer class which can easily accept serialized log events and deserialize them without authentication. With the aid of deserialization tools, an attacker could use this class to remotely execute arbitrary code. This affects Log4j versions up to 1.2 up to 1.2.17. A similar flaw found in Log4j 2.x has been assigned CVE-2017-5645.

Multiple Oxygen XML products incorporate Apache Log4j as third party library. This advisory was opened to address the potential impact on this third party library vulnerability.

Detail

CVE-2019-17571

Severity: High

CVSS Score: 9.8

Log4j third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2019-17571 vulnerability description. However, the Log4j capability to access remote logs through its SocketServer class (where the vulnerability exists) is not enabled and used in Oxygen XML software products. Log4j is used for basic logging within our applications. Therefore Oxygen XML software products are not impacted by CVE-2019-17571.

MediumResolved Oxygen XML Editor 21.1 and older versions
Oxygen XML Developer 21.1 and older versions
Oxygen XML Author 21.1 and older versions
Oxygen PDF Chemistry 21.1 and older versions
Oxygen XML WebHelp 21.1 and older versions
Oxygen XML Web Author 21.1.1 and older versions
Oxygen Content Fusion 1.2 and older versions
2020-05-18 15:00:00
SYNC-2019-111401

Abstract

The handling of XML documents in Oxygen XML Editor/Author/Developer is vulnerable to attacks based on XML External Entities (XXE). This applies only to documents that contain embedded DTDs and Entity declarations.

Detail

SYNC-2019-111401

Severity: Medium

CVSS Score: 6.5

This is a medium-severity issue. Because the embedded XML parser does not offer enough control over the location of files it opens, this XXE vulnerability allows execution of specially crafted XML files. Thus, the attacker can read files that are accessible to the Oxygen XML process currently running. In order to be successful, the attacker should have very good knowledge of the files location in your file system to be able to access the information stored on your computer.

MediumResolved Oxygen XML Editor 21.1 and older versions
Oxygen XML Developer 21.1 and older versions
Oxygen XML Author 21.1 and older versions
2019-12-11 16:14:14

Important:

  • This table is not yet a complete list of vulnerabilities. Formulating such a list is an extensive undertaking which Syncro Soft is addressing systematically.
  • Syncro Soft does not issue security advisories for underlying third party libraries. Please refer to the concerned third parties as appropriate.
  • Syncro Soft Security Advisories are provided on an "as is" basis and do not imply any kind of guarantee or warranty. Your use of the information in these publications or linked material is at your own risk. Syncro Soft reserves the right to change or update this content without notice at any time.

For more information about security at Syncro Soft, see our Security page. If you believe you've found a security vulnerability, see Reporting a new vulnerability.