9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
liquibase-core is vulnerable to XML external entity attacks. The XMLChangeLogSAXParser
function of XMLChangeLogSAXParser.java
does not disable access to external entities by default, allowing an attacker to submit a malicious XML document to perform requests on behalf of the server.
github.com/advisories/GHSA-jvfv-hrrc-6q72
github.com/liquibase/liquibase/commit/33d9d925082097fb1a3d2fc8e44423d964cd9381
github.com/liquibase/liquibase/commit/d60de3f18acba5423b60d09ee40df44103a07295
github.com/liquibase/liquibase/pull/2384
huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70
huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70/
www.oracle.com/security-alerts/cpujul2022.html
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P