CVE-2022-45688 - Denial of Service (DoS)
Severity: High2023-07-26
Abstract
A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
The Oxygen products incorporate hutool-json as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
| Product | Severity | Fixed Release Availability |
| Oxygen Content Fusion v5.1 and older | High | Oxygen Content Fusion 5.1.1 build 2023072112 |
| Oxygen License Server v25.0 and older | None | Oxygen License Server v25.1 build 2023031316 |
| Oxygen Publishing Engine v25.0 | None | Oxygen Publishing Engine v25.1 build 2023031411 |
| Oxygen Web Author v25.0.0.3 and older | None | N/A |
| Oxygen XML Author v25.0 and older | Low | Oxygen XML Author 25.1 build 2023031510 |
| Oxygen XML Developer v25.0 and older | Low | Oxygen XML Developer 25.1 build 2023031510 |
| Oxygen XML Editor v25.0 and older | Low | Oxygen XML Editor 25.1 build 2023031510 |
Detail
CVE-2022-45688
Severity: High
CVSS Score: 7.5
The hutool-json third-party library used by Oxygen Content Fusion is an affected version mentioned in CVE-2022-45688 vulnerability description. Starting with Oxygen Content Fusion 5.1.1 build 2023072112 the affected library was updated to version that fixes this vulnerability.
Since Oxygen Publishing Engine doesn't use XML.toJSONObject, this vulnerability does not affect Oxygen Publishing Engine. However, Oxygen Publishing Engine starting with v25.1 build 2023031411 the affected library was updated to a version that fixes this vulnerability.
Starting with Oxygen License Server v25.1 build 2023031316 the affected library was updated to a version that fixes this vulnerability
