CVE-2022-45688 - Denial of Service (DoS)

Severity: High2023-07-26

Security Advisories

Abstract

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.

The Oxygen products incorporate hutool-json as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Content Fusion v5.1 and olderHigh Oxygen Content Fusion 5.1.1 build 2023072112
Oxygen License Server v25.0 and olderNone Oxygen License Server v25.1 build 2023031316
Oxygen Publishing Engine v25.0None Oxygen Publishing Engine v25.1 build 2023031411
Oxygen Web Author v25.0.0.3 and olderNone N/A
Oxygen XML Author v25.0 and olderLow Oxygen XML Author 25.1 build 2023031510
Oxygen XML Developer v25.0 and olderLow Oxygen XML Developer 25.1 build 2023031510
Oxygen XML Editor v25.0 and olderLow Oxygen XML Editor 25.1 build 2023031510

Mitigation

None

Detail

CVE-2022-45688

Severity: High

CVSS Score: 7.5

The hutool-json third-party library used by Oxygen Content Fusion is an affected version mentioned in CVE-2022-45688 vulnerability description. Starting with Oxygen Content Fusion 5.1.1 build 2023072112 the affected library was updated to version that fixes this vulnerability.

Since Oxygen Publishing Engine doesn't use XML.toJSONObject, this vulnerability does not affect Oxygen Publishing Engine. However, Oxygen Publishing Engine starting with v25.1 build 2023031411 the affected library was updated to a version that fixes this vulnerability.

Starting with Oxygen License Server v25.1 build 2023031316 the affected library was updated to a version that fixes this vulnerability

List of Security Advisories