N/A

CVSS Score

Basic Information

CVE ID

CVE-2022-40155

GHSA ID

GHSA-5hc5-c3m9-8vcj

EPSS Score

CWE

CWE-787

Published

9/17/2022

Updated

1/31/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-40155

CVE-2022-40155:
Denial of Service via stack overflow

Withdrawn

This advisory has been withdrawn because it has been found to be a duplicate. Please see the issue here for more information.

Original Despcription

Those using FasterXML/woodstox to serialise XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.

This vulnerability is only relevant for users making use of the DTD parsing functionality.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2022-40155

GHSA ID

GHSA-5hc5-c3m9-8vcj

EPSS Score

CWE

CWE-787

Published

9/17/2022

Updated

1/31/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS metrics data is empty

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.fasterxml.woodstox:woodstox-core	maven	>= 6.0.0, < 6.4.0	6.4.0
com.fasterxml.woodstox:woodstox-core	maven	< 5.4.0	5.4.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unlimited recursion in DTD parsing. The patch (PR #159) introduced a recursion depth limit in FullDTDReader, indicating this class's parse method was previously vulnerable. The CWE-787 classification appears incorrect; the actual issue was CWE-674 (Uncontrolled Recursion). The affected versions lacked depth checks during DTD processing, making the parse method susceptible to stack overflow via malicious DTDs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Wit**r*wn T*is **visory **s ***n wit**r*wn ****us* it **s ***n *oun* to ** * *upli**t*. Pl**s* s** t** issu* [**r*](*ttps://*it*u*.*om/x-str**m/xstr**m/issu*s/***#issu**omm*nt-**********) *or mor* in*orm*tion. ## Ori*in*l **sp*ription T*os* us

Reasoning

T** vuln*r**ility st*ms *rom unlimit** r**ursion in *T* p*rsin*. T** p*t** (PR #***) intro*u*** * r**ursion **pt* limit in *ull*T*R****r, in*i**tin* t*is *l*ss's p*rs* m*t*o* w*s pr*viously vuln*r**l*. T** *W*-*** *l*ssi*i**tion *pp**rs in*orr**t; t*

N/A

Basic Information

Concerned about an active attack path?

CVE-2022-40155: Denial of Service via stack overflow

Withdrawn

Original Despcription

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-40155:
Denial of Service via stack overflow

Vulnerability Intelligence
Miggo AI