CVE-2022-4245: 
Java vulnerability analysis and mitigation

A vulnerability (CVE-2022-4245) was discovered in codehaus-plexus, specifically in the org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment functionality. The vulnerability was identified when it was found that the component fails to sanitize comments for a --> sequence, potentially allowing XML injection attacks. This vulnerability affects codehaus-plexus versions up to (excluding) 3.0.24 (NVD, CVE).

The vulnerability exists in the XML comment handling functionality of codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment method fails to properly sanitize comment content containing the --> sequence. This oversight could allow malicious text within the command string to be interpreted as XML, enabling XML injection attacks. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (NVD).

If exploited, this vulnerability could allow attackers to perform XML injection attacks through unsanitized comment content. The primary impact is related to confidentiality, with potential for information disclosure, as indicated by the CVSS metrics showing Low confidentiality impact (NVD).

The vulnerability has been fixed in codehaus-plexus version 3.0.24. Users are advised to upgrade to this version or later to address the security issue. Red Hat has released security updates for affected products through various security advisories including RHSA-2023:2135 and RHSA-2023:3906 (Red Hat Advisory, Red Hat Advisory 2).