{"id":"CVE-2022-0265","summary":"Improper Restriction of XML External Entity Reference in hazelcast/hazelcast","details":"Improper Restriction of XML External Entity Reference in GitHub repository hazelcast/hazelcast in 5.1-BETA-1.","aliases":["GHSA-99wh-973f-779p"],"modified":"2026-04-11T23:37:32.873669Z","published":"2022-03-03T21:40:10Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/0xxx/CVE-2022-0265.json","cwe_ids":["CWE-611"],"cna_assigner":"@huntrdev"},"references":[{"type":"WEB","url":"https://huntr.dev/bounties/d63972a2-b910-480a-a86b-d1f75d24d563"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/0xxx/CVE-2022-0265.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0265"},{"type":"FIX","url":"https://github.com/hazelcast/hazelcast/commit/4d6b666cd0291abd618c3b95cdbb51aa4208e748"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hazelcast/hazelcast","events":[{"introduced":"0"},{"fixed":"4d6b666cd0291abd618c3b95cdbb51aa4208e748"}]},{"type":"GIT","repo":"https://github.com/hazelcast/hazelcast","events":[{"introduced":"0"},{"fixed":"4d6b666cd0291abd618c3b95cdbb51aa4208e748"}]}],"versions":["v2.0","v2.1","v3.0","v3.0-RC1","v3.1","v3.2","v3.3-EA","v3.3-EA2","v3.5.1-stale"],"database_specific":{"vanir_signatures_modified":"2026-04-11T23:37:32Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-0265.json","vanir_signatures":[{"source":"https://github.com/hazelcast/hazelcast/commit/4d6b666cd0291abd618c3b95cdbb51aa4208e748","target":{"file":"hazelcast/src/test/java/com/hazelcast/internal/util/XmlUtilTest.java"},"signature_version":"v1","deprecated":false,"id":"CVE-2022-0265-2642dfe7","digest":{"line_hashes":["143433457101903836927512141946668239481","143264415324238305670178837955169805318","16725839911482363078626755158018901137","167568837272694373981240044143234758578","162627443422246386933074437177688639266","89420978300655439147569773729902678096","108432983993056277199639922105407039249","187217663427440579596979109580988874455","210828925992132403172167186046560599897","304519003485506692364558500753108877553","243311464505544961109832353580438365578","330704143963564327166046524418225690848","232055742871079391335589366607765549222","3300892109408280985899499035513070132","211722072270930995880018981463032463151","8666393019634348098563932705045831640","94259220322393783486350873525304878746","188628785271754465168981730603145294497","261563595121120063255589214089368396286","32112824637269519312693856963860963291","279514092887576377356579579095160175626","10305371627295671447410905688487449213","294065816120542552016361331618336758513","224883430958328884474612833426651293041","221700803402246357359922967260668069725"],"threshold":0.9},"signature_type":"Line"},{"source":"https://github.com/hazelcast/hazelcast/commit/4d6b666cd0291abd618c3b95cdbb51aa4208e748","target":{"function":"testFormat","file":"hazelcast/src/test/java/com/hazelcast/internal/util/XmlUtilTest.java"},"signature_version":"v1","deprecated":false,"id":"CVE-2022-0265-4f67a2c4","digest":{"length":670,"function_hash":"31329638635561983277444704336829090436"},"signature_type":"Function"},{"source":"https://github.com/hazelcast/hazelcast/commit/4d6b666cd0291abd618c3b95cdbb51aa4208e748","target":{"file":"hazelcast/src/main/java/com/hazelcast/internal/util/XmlUtil.java"},"signature_version":"v1","deprecated":false,"id":"CVE-2022-0265-53ca4908","digest":{"line_hashes":["220306376122909878290545890463207150049","117784562842242237438695230959091139343","220579301204531891317771964560861406868","337520155802861371473594482624049477512","63463406280238557925168035647013326919","329441970767867480762527758387830386982","142831076438357319071465596262650462747","202595620253934734762534153472667983051","333277114570787774830554264074054192466","119015603005145960303127012455142395245","276872027420449055927404173860716536824","206822523581767359873618734236819014149","260884238588112590148401424879064652930","301325313767313766028878922385795300416","147862378732155015145672196286595924835","105434885011153617205883541969593204716","158320137372969902981253741014061015879","209536411554064145427843230982924609330","49160438046922882106306091019743665603","184372872687703135646277226319698554929","67318536124873959666152776970167700142","252709441073314681004192396797882881987","130708333237305247180818811021398508395","305400341993270473878297576181282580537","46255479367281813885582551902325379467","69872131647729648498740342522110906627","330264224331142371069982749104619836671","13572302740547741169591080473780113420","81765898140504838130405693024232612316","58311831032784347258877962639558066367","194222082881883344836086910566573733364","120907481636204902399851660549288455726","164321817749517183047557533092938657223","55713352223882213742385437457223263383","284490138856594303489347214910005396100","311520740758969638036823796316559793126","283165919638995029536454027832274286804","3898805155890640656314744022143351022","242584968458108502381487566249729047429","184312112595134381288443269912059421736","187030036183416927199236238024604434455","283191374050092454008708414442623805600","333127000008848072318115593335175965204","43231089267410063828894616756594778128","145988128837074364503949629303925225687","270466655136037174806558862928944011747","89155216758844374342967769374608097803","236475231317952517215307892752730311084","202953112843188937063638618963593920600","191150049184719174918849761168383374645","332622403933779218529695953005004151760","63873733299292816805921404082760710388","221156733725182370271127501702424198388","40005257822710126676980476113207635896","297803000527143455336927564081397057250","276910592699050031514106368425317721879","3596533831213525709717686388942572730","323117765289286585466763923886059203390","193349627412214981906858261919701388645","270586406130689403390240750370466164197","311974197425857756693056719311950889045","145988128837074364503949629303925225687","270466655136037174806558862928944011747","89155216758844374342967769374608097803","236475231317952517215307892752730311084","202953112843188937063638618963593920600","198591619371764361500426480160714106662"],"threshold":0.9},"signature_type":"Line"},{"source":"https://github.com/hazelcast/hazelcast/commit/4d6b666cd0291abd618c3b95cdbb51aa4208e748","target":{"function":"getNsAwareDocumentBuilderFactory","file":"hazelcast/src/main/java/com/hazelcast/internal/util/XmlUtil.java"},"signature_version":"v1","deprecated":false,"id":"CVE-2022-0265-93267f89","digest":{"length":208,"function_hash":"203879290092569252727850168843544565607"},"signature_type":"Function"},{"source":"https://github.com/hazelcast/hazelcast/commit/4d6b666cd0291abd618c3b95cdbb51aa4208e748","target":{"function":"setFeature","file":"hazelcast/src/main/java/com/hazelcast/internal/util/XmlUtil.java"},"signature_version":"v1","deprecated":false,"id":"CVE-2022-0265-bf721e96","digest":{"length":1112,"function_hash":"67084741499527725987311041754231112138"},"signature_type":"Function"},{"source":"https://github.com/hazelcast/hazelcast/commit/4d6b666cd0291abd618c3b95cdbb51aa4208e748","target":{"function":"AbstractXmlConfigRootTagRecognizer","file":"hazelcast/src/main/java/com/hazelcast/internal/config/AbstractXmlConfigRootTagRecognizer.java"},"signature_version":"v1","deprecated":false,"id":"CVE-2022-0265-c58ad94d","digest":{"length":136,"function_hash":"169588457770676729328190780709580221688"},"signature_type":"Function"},{"source":"https://github.com/hazelcast/hazelcast/commit/4d6b666cd0291abd618c3b95cdbb51aa4208e748","target":{"function":"setProperty","file":"hazelcast/src/main/java/com/hazelcast/internal/util/XmlUtil.java"},"signature_version":"v1","deprecated":false,"id":"CVE-2022-0265-e353527f","digest":{"length":1062,"function_hash":"335483197027637464166438627203320202192"},"signature_type":"Function"},{"source":"https://github.com/hazelcast/hazelcast/commit/4d6b666cd0291abd618c3b95cdbb51aa4208e748","target":{"file":"hazelcast/src/main/java/com/hazelcast/internal/config/AbstractXmlConfigRootTagRecognizer.java"},"signature_version":"v1","deprecated":false,"id":"CVE-2022-0265-f13aef70","digest":{"line_hashes":["314100040060982325413919065280271982094","36506085335580643303169383225759221632","227126087028363813535240516501849537971","61414114981765105736716758069389125283","281778869838324119408680061279537249635","296126765186712315638633324885740923082","124711172282621550506864786399686753046"],"threshold":0.9},"signature_type":"Line"},{"source":"https://github.com/hazelcast/hazelcast/commit/4d6b666cd0291abd618c3b95cdbb51aa4208e748","target":{"function":"setAttribute","file":"hazelcast/src/main/java/com/hazelcast/internal/util/XmlUtil.java"},"signature_version":"v1","deprecated":false,"id":"CVE-2022-0265-fb6eec17","digest":{"length":1072,"function_hash":"282785996555952033729414433644411729325"},"signature_type":"Function"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}]}