Re: CVE-2023-49733: Apache Cocoon's StreamGenerator is vulnerable to XXE injection

Cédric Damioli Thu, 30 Nov 2023 05:09:21 -0800

Hi Warell,

Yes it does ...

I think however that it should be quite straight forward to use log4j2instead if needed.


Cédric

Le 30/11/2023 à 12:30, warrell harries a écrit :

Hi Cedric,

Does this build still use the infamous Log4J v1. 2 jar.... I know it'sactually benign due to no use of the jndi but security vulnerabilityscanners usually complain.


Thanks for your work on this.

Best regards

Warrell

On Thu, 30 Nov 2023, 11:16 Cédric Damioli, <cdami...@apache.org> wrote:

    Severity: important

    Affected versions:

    - Apache Cocoon 2.2.0 before 2.3.0

    Description:

    Improper Restriction of XML External Entity Reference
    vulnerability in Apache Cocoon.This issue affects Apache Cocoon:
    from 2.2.0 before 2.3.0.

    Users are recommended to upgrade to version 2.3.0, which fixes the
    issue.

    References:

    https://cocoon.apache.org/
    https://www.cve.org/CVERecord?id=CVE-2023-49733


    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org
    For additional commands, e-mail: users-h...@cocoon.apache.org


--
Cédric Damioli
CMS - Java - Open Source
www.ametys.org

Re: CVE-2023-49733: Apache Cocoon's StreamGenerator is vulnerable to XXE injection

Reply via email to