CVE-2022-0839

nvd nist

Published: Mar 4, 2022Modified: Nov 3, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0.

Affected (2)

Products: Liquibase: Liquibase · Oracle: Sqlcl

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Liquibase Liquibase	Before 4.8.0

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Oracle Sqlcl	Version 19c

Related CWEs

CWE-611

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (7)

https://github.com/liquibase/liquibase/commit/33d9d925082097fb1a3d2fc8e44423d964cd9381

Source: security@huntr.dev

Patch

https://huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70

Source: security@huntr.dev

ExploitPatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

Source: security@huntr.dev

PatchThird Party Advisory

http://seclists.org/fulldisclosure/2025/Apr/14

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/liquibase/liquibase/commit/33d9d925082097fb1a3d2fc8e44423d964cd9381

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.