{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52326?format=json","vulnerability_id":"VCID-kkjc-yykt-t3f3","summary":"Denial of Service due to parser crash\n## Withdrawn\n\nThis advisory has been withdrawn because it has been found to be a duplicate. Please see the issue [here](https://github.com/x-stream/xstream/issues/304#issuecomment-1293654236) for more information.\n\n## Original Despcription \n\nThose using FasterXML/woodstox to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.\n\nThis vulnerability is only relevant for users making use of the DTD parsing functionality.","aliases":[{"alias":"CVE-2022-40153"},{"alias":"GHSA-fv22-xp26-mm9w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79969?format=json","purl":"pkg:maven/com.fasterxml.woodstox/woodstox-core@5.4.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.fasterxml.woodstox/woodstox-core@5.4.0"},{"url":"http://public2.vulnerablecode.io/api/packages/79968?format=json","purl":"pkg:maven/com.fasterxml.woodstox/woodstox-core@6.4.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.fasterxml.woodstox/woodstox-core@6.4.0"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/144501?format=json","purl":"pkg:maven/com.fasterxml.woodstox/woodstox-core@6.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xyr-vr5v-tbea"},{"vulnerability":"VCID-9kde-ya39-8bee"},{"vulnerability":"VCID-hqzr-vc5w-9ff5"},{"vulnerability":"VCID-kkjc-yykt-t3f3"},{"vulnerability":"VCID-zcks-qd7r-vkd9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.fasterxml.woodstox/woodstox-core@6.0.0"}],"references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40153.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40153.json"},{"reference_url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=49858","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=49858"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/FasterXML/woodstox","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FasterXML/woodstox"},{"reference_url":"https://github.com/FasterXML/woodstox/issues/157","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FasterXML/woodstox/issues/157"},{"reference_url":"https://github.com/FasterXML/woodstox/issues/160","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FasterXML/woodstox/issues/160"},{"reference_url":"https://github.com/FasterXML/woodstox/pull/159","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FasterXML/woodstox/pull/159"},{"reference_url":"https://github.com/x-stream/xstream/issues/304","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/x-stream/xstream/issues/304"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40153","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40153"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2134290","reference_id":"2134290","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2134290"},{"reference_url":"https://github.com/advisories/GHSA-fv22-xp26-mm9w","reference_id":"GHSA-fv22-xp26-mm9w","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fv22-xp26-mm9w"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0469","reference_id":"RHSA-2023:0469","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0469"}],"weaknesses":[{"cwe_id":787,"name":"Out-of-bounds Write","description":"The product writes data past the end, or before the beginning, of the intended buffer."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."}],"exploits":[],"severity_range_score":"5.9 - 8.9","exploitability":"0.5","weighted_severity":"8.0","risk_score":4.0,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kkjc-yykt-t3f3"}