{"id":"CVE-2022-4245","details":"A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --\u003e sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.","aliases":["GHSA-jcwr-x25h-x5fh"],"modified":"2026-03-14T15:00:23.570915Z","published":"2023-09-25T20:15:10.400Z","references":[{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2023:2135"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2023:3906"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2022-4245"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2149843"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/codehaus-plexus/plexus-utils","events":[{"introduced":"0"},{"fixed":"fd36d8b80ba10955ef065230571ce2be2d4c1bbb"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.0.24"}]}}],"versions":["plexus-utils-2.0.7","plexus-utils-2.1","plexus-utils-3.0","plexus-utils-3.0.1","plexus-utils-3.0.10","plexus-utils-3.0.11","plexus-utils-3.0.12","plexus-utils-3.0.13","plexus-utils-3.0.14","plexus-utils-3.0.15","plexus-utils-3.0.16","plexus-utils-3.0.17","plexus-utils-3.0.18","plexus-utils-3.0.19","plexus-utils-3.0.2","plexus-utils-3.0.20","plexus-utils-3.0.21","plexus-utils-3.0.22","plexus-utils-3.0.23","plexus-utils-3.0.3","plexus-utils-3.0.4","plexus-utils-3.0.5","plexus-utils-3.0.6","plexus-utils-3.0.7","plexus-utils-3.0.8","plexus-utils-3.0.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-4245.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"1.10.1"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}]}