CVE-2022-40152

Published: Sep 16, 2022Modified: May 23, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

Affected (3)

Products: Xstream: Xstream · Fasterxml: Woodstox

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Xstream Xstream	Before 1.4.20

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Fasterxml Woodstox	Before 5.4.0
Fasterxml Woodstox	From 6.0.0 to 6.4.0

Related CWEs

Stack-based Buffer Overflow

A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

References (4)

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47434

Source: cve-coordination@google.com

ExploitPermissions RequiredThird Party Advisory

https://github.com/x-stream/xstream/issues/304

Source: cve-coordination@google.com

Issue TrackingThird Party Advisory

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47434

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPermissions RequiredThird Party Advisory

https://github.com/x-stream/xstream/issues/304

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

Timeline

No history available yet.