FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

opengrok -- Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok.

Affected packages
opengrok <= 1.6.7

Details

VuXML ID 1135e939-62b4-11ec-b8e2-1c1b0d9ea7e6
Discovery 2021-04-07
Entry 2021-12-21

Bobby Rauch of Accenture reports:

I ended up finding OpenGrok, and after careful testing, discovered that OpenGrok insecurely deserializes XML input, which can lead to Remote Code Execution. This vulnerability was found in all versions of OpenGrok <1.6.8 and was reported to Oracle. The vulnerability has now been patched in OpenGrok 1.6.9, and has been issued a CVE. (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2322)

References

CVE Name CVE-2021-2322
URL https://github.com/oracle/opengrok/pull/3528
URL https://www.oracle.com/security-alerts/oracle-open-source-cves-outside-other-oracle-public-documents.html
URL https://www.oracle.com/security-alerts/oracle-open-source-cves-outside-other-oracle-public-documents.html