Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1qdmZ2LWhycmMtNnE3Ms0wUg

Improper Restriction of XML External Entity Reference in Liquibase

The XMLChangeLogSAXParser() function in Liquibase prior to version 4.8.0 contains an issue that may lead to to Improper Restriction of XML External Entity Reference.

Permalink: https://github.com/advisories/GHSA-jvfv-hrrc-6q72
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qdmZ2LWhycmMtNnE3Ms0wUg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 2 years ago
Updated: over 1 year ago

CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-jvfv-hrrc-6q72, CVE-2022-0839
References:

Repository: https://github.com/liquibase/liquibase
Blast Radius: 43.8

Affected Packages

maven:org.liquibase:liquibase-core

Dependent packages: 816
Dependent repositories: 29,346
Downloads:
Affected Version Ranges: < 4.8.0
Fixed in: 4.8.0
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.7.0, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.8.6, 3.8.7, 3.8.8, 3.8.9, 3.9.0, 3.10.0, 3.10.1, 3.10.2, 3.10.3, 4.0.0, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.5.0, 4.6.0, 4.6.1, 4.6.2, 4.7.0, 4.7.1
All unaffected versions: 4.8.0, 4.9.0, 4.9.1, 4.10.0, 4.11.0, 4.12.0, 4.13.0, 4.14.0, 4.15.0, 4.16.0, 4.16.1, 4.17.0, 4.17.1, 4.17.2, 4.18.0, 4.19.0, 4.19.1, 4.20.0, 4.21.0, 4.21.1, 4.22.0, 4.23.0, 4.23.1, 4.23.2, 4.24.0, 4.25.0, 4.25.1, 4.26.0, 4.27.0