CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3276 – Dromara HuTool XML Parsing Module XmlUtil.java readBySax xml external entity reference
https://notcve.org/view.php?id=CVE-2023-3276
15 Jun 2023 — A vulnerability, which was classified as problematic, has been found in Dromara HuTool up to 5.8.19. Affected by this issue is the function readBySax of the file XmlUtil.java of the component XML Parsing Module. The manipulation leads to xml external entity reference. The exploit has been disclosed to the public and may be used. VDB-231626 is the identifier assigned to this vulnerability. • https://fbdhhhh47.github.io/2023/06/06/hutool-XXE • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-33695
https://notcve.org/view.php?id=CVE-2023-33695
13 Jun 2023 — Hutool v5.8.17 and below was discovered to contain an information disclosure vulnerability via the File.createTempFile() function at /core/io/FileUtil.java. • https://github.com/dromara/hutool/issues/3103 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2023-24162
https://notcve.org/view.php?id=CVE-2023-24162
31 Jan 2023 — Deserialization vulnerability in Dromara Hutool v5.8.11 allows attacker to execute arbitrary code via the XmlUtil.readObjectFromXml parameter. Vulnerabilidad de deserialización en Dromara Hutool v5.8.11 permite a un atacante ejecutar código arbitrario a través del parámetro XmlUtil.readObjectFromXml. • https://gitee.com/dromara/hutool/issues/I6AEX2 • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-24163
https://notcve.org/view.php?id=CVE-2023-24163
31 Jan 2023 — SQL Inection vulnerability in Dromara hutool before 5.8.21 allows attacker to execute arbitrary code via the aviator template engine. La vulnerabilidad de inyección SQL en Dromara hutool v5.8.11 permite a un atacante ejecutar código arbitrario a través del motor de plantilla aviator. • https://gitee.com/dromara/hutool/issues/I6AJWJ#note_15801868 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4565 – Dromara HuTool cn.hutool.core.util.ZipUtil.java resource consumption
https://notcve.org/view.php?id=CVE-2022-4565
16 Dec 2022 — A vulnerability classified as problematic was found in Dromara HuTool up to 5.8.10. This vulnerability affects unknown code of the file cn.hutool.core.util.ZipUtil.java. The manipulation leads to resource consumption. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/dromara/hutool/issues/2797 • CWE-404: Improper Resource Shutdown or Release •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 2CVE-2022-45690
https://notcve.org/view.php?id=CVE-2022-45690
13 Dec 2022 — A stack overflow in the org.json.JSONTokener.nextValue::JSONTokener.java component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data. Un desbordamiento de pila en el componente org.json.JSONTokener.nextValue::JSONTokener.java de hutool-json v5.8.10 permite a los atacantes provocar una Denegación de Servicio (DoS) a través de datos JSON o XML manipulados. • https://github.com/dromara/hutool/issues/2746 • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-45689
https://notcve.org/view.php?id=CVE-2022-45689
13 Dec 2022 — hutool-json v5.8.10 was discovered to contain an out of memory error. Se descubrió que hutool-json v5.8.10 contenía un error de falta de memoria. • https://github.com/dromara/hutool/issues/2747 • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 3CVE-2022-45688
https://notcve.org/view.php?id=CVE-2022-45688
13 Dec 2022 — A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data. Un desbordamiento de pila en el componente XML.toJSONObject de hutool-json v5.8.10 permite a los atacantes provocar una Denegación de Servicio (DoS) a través de datos JSON o XML manipulados. • https://github.com/scabench/jsonorg-tp1 • CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 3CVE-2022-22885
https://notcve.org/view.php?id=CVE-2022-22885
16 Feb 2022 — Hutool v5.7.18's HttpRequest was discovered to ignore all TLS/SSL certificate validation. Se ha detectado que HttpRequest de Hutool versión v5.7.18, ignora toda la comprobación de certificados TLS/SSL • https://github.com/miguelc49/CVE-2022-22885-2 • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-17297
https://notcve.org/view.php?id=CVE-2018-17297
21 Sep 2018 — The unzip function in ZipUtil.java in Hutool before 4.1.12 allows remote attackers to overwrite arbitrary files via directory traversal sequences in a filename within a ZIP archive. La función unzip en ZipUtil.java en Hutool en versiones anteriores a la 4.1.12 permite a los atacantes remotos sobrescribir archivos arbitrarios mediante secuencias de salto de directorio en un nombre de archivo en un archivo ZIP. • https://github.com/looly/hutool/issues/162 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •