Codehaus-plexus: xml external entity (xxe) injection
Description
Codehaus Plexus XmlWriterUtil#writeComment fails to sanitize XML comment end sequences, allowing XML injection via crafted input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Codehaus Plexus XmlWriterUtil#writeComment fails to sanitize XML comment end sequences, allowing XML injection via crafted input.
Vulnerability
Details
CVE-2022-4245 is an XML injection flaw in the Codehaus Plexus library, specifically in the XmlWriterUtil#writeComment method of org.codehaus.plexus.util.xml. The method does not sanitize user-controlled input for the --> sequence, which marks the end of an XML comment. As a result, an attacker can inject arbitrary XML content by including --> in the input, breaking out of the intended comment context and inserting malicious XML elements [1][2].
Exploitation
Exploitation requires the application to pass untrusted data to the writeComment method when generating XML output. No authentication is strictly needed if the application exposes such functionality to unauthenticated users. The attack vector is network-based, as the injected XML is processed downstream by XML parsers. The vulnerability is classified as XML injection, and in some evaluations it is also linked to XML External Entity (XXE) injection because the injected content can include entity references [3].
Impact
Successful exploitation can allow an attacker to inject arbitrary XML structures, potentially leading to information disclosure, denial of service, or further attacks against XML parsers. In the context of products like Red Hat Integration Camel K and Red Hat Process Automation Manager, this could compromise the confidentiality and integrity of processed data [3][4].
Mitigation
Red Hat released security advisories RHSA-2023:3906 (Camel K 1.10.1) and RHSA-2023:2135 (Process Automation Manager 7.13.3) that include fixes for CVE-2022-4245, rated with Important severity [3][4]. Users should update to the patched versions. There is no evidence of active exploitation in the wild, and the CVE is not on CISA's Known Exploited Vulnerabilities (KEV) list.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.codehaus.plexus:plexus-utilsMaven | < 3.0.24 | 3.0.24 |
Affected products
29- Red Hat/Red Hat JBoss A-MQ 7v5cpe:/a:redhat:amq_broker:7
- Red Hat/A-MQ Clients 2v5cpe:/a:redhat:a_mq_clients:2
- Red Hat/Red Hat A-MQ Onlinev5cpe:/a:redhat:amq_online:1
- Red Hat/RHINT Camel-K-1.10.1v5cpe:/a:redhat:camel_k:1
- Red Hat/Red Hat Integration Camel Quarkusv5cpe:/a:redhat:camel_quarkus:2
- cpe:/a:redhat:camel_spring_boot:3
- Red Hat/Red Hat Integration Change Data Capturev5cpe:/a:redhat:integration:1
- Red Hat/Red Hat JBoss Data Grid 7v5cpe:/a:redhat:jboss_data_grid:7
- Red Hat/Red Hat Data Grid 8v5cpe:/a:redhat:jboss_data_grid:8
- cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:jboss_enterprise_application_platform:6+ 1 more
- cpe:/a:redhat:jboss_enterprise_application_platform:6
- cpe:/a:redhat:jboss_enterprise_application_platform:7
- cpe:/a:redhat:jboss_enterprise_bpms_platform:7
- Red Hat/RHPAM 7.13.1 asyncv5cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
- Red Hat/Red Hat Decision Manager 7v5cpe:/a:redhat:jboss_enterprise_brms_platform:7
cpe:/a:redhat:jboss_enterprise_web_server:3+ 1 more
- cpe:/a:redhat:jboss_enterprise_web_server:3
- cpe:/a:redhat:jboss_enterprise_web_server:5
- Red Hat/Red Hat JBoss Fuse 6v5cpe:/a:redhat:jboss_fuse:6
- Red Hat/Red Hat JBoss Fuse 7v5cpe:/a:redhat:jboss_fuse:7
- cpe:/a:redhat:jboss_fuse_service_works:6
- Red Hat/Red Hat support for Spring Bootv5cpe:/a:redhat:openshift_application_runtimes:1.0
- Red Hat/Red Hat build of Quarkusv5cpe:/a:redhat:quarkus:2
- cpe:/a:redhat:red_hat_single_sign_on:7
- cpe:/a:redhat:rhel_software_collections:3
- Red Hat/Red Hat Integration Service Registryv5cpe:/a:redhat:service_registry:2
cpe:/o:redhat:enterprise_linux:7+ 2 more
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:9
Patches
1f933e5e78dc2o Updated to remove '<!--' and '-->' from XML comments to guard against XML
1 file changed · +10 −0
src/main/java/org/codehaus/plexus/util/xml/XmlWriterUtil.java+10 −0 modified@@ -186,6 +186,16 @@ public static void writeComment( XMLWriter writer, String comment, int indent, i comment = "null"; } + while ( comment.contains( "<!--" ) ) + { + comment = comment.replace( "<!--", "" ); + } + + while ( comment.contains( "-->" ) ) + { + comment = comment.replace( "-->", "" ); + } + if ( indent < 0 ) { indent = 0;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- access.redhat.com/errata/RHSA-2023:2135ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2023:3906ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-jcwr-x25h-x5fhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-4245ghsaADVISORY
- access.redhat.com/security/cve/CVE-2022-4245ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/codehaus-plexus/plexus-utils/commit/f933e5e78dc2637e485447ed821fe14904f110deghsaWEB
- github.com/codehaus-plexus/plexus-utils/issues/3ghsaWEB
- security.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-461102ghsaWEB
News mentions
0No linked articles in our index yet.