===================================================================== CERT-Renater Note d'Information No. 2023/VULN502 _____________________________________________________________________ DATE : 01/12/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Cocoon versions prior to 2.3.0. ===================================================================== https://lists.apache.org/thread/lsvd1hmr2t2q823x21d5ygzgbj9jpvjp https://lists.apache.org/thread/t87nntzt6dxw354zbqr9k7l7o1x8gq11 _____________________________________________________________________ CVE-2022-45135: Apache Cocoon: SQL injection in DatabaseCookieAuthenticatorAction Severity: moderate Affected versions: - Apache Cocoon 2.2.0 before 2.3.0 Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Cocoon.This issue affects Apache Cocoon: from 2.2.0 before 2.3.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue. Credit: QSec-Team (finder) References: https://cocoon.apache.org/ https://www.cve.org/CVERecord?id=CVE-2022-45135 _____________________________________________________________________ CVE-2023-49733: Apache Cocoon's StreamGenerator is vulnerable to XXE injection Severity: important Affected versions: - Apache Cocoon 2.2.0 before 2.3.0 Description: Improper Restriction of XML External Entity Reference vulnerability in Apache Cocoon.This issue affects Apache Cocoon: from 2.2.0 before 2.3.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue. References: https://cocoon.apache.org/ https://www.cve.org/CVERecord?id=CVE-2023-49733 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================