CVE-2023-4586 - Improper Input Validation
Severity: None2023-12-22
Abstract
A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack.
The Oxygen products incorporate netty as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen Publishing Engine v26.0 and older | None | N/A |
Oxygen Content Fusion v6.0 and older | None | N/A |
Detail
CVE-2023-4586
Severity: High
CVSS Score: 7.4
The netty third-party library used by Oxygen XML products is an affected
version mentioned in CVE-2023-4586 vulnerability description.
Oxygen Content Fusion
uses netty library only to connect internally and doesn't use hostname
verification with this library. For that reason, Oxygen XML products are not affected by this
vulnerability.