We have requested that one will remain for woodstox (CVE-2022-40152), and that the duplicates (CVE-2022-40153, CVE-2022-40154, CVE-2022-40155 and CVE-2022-40156) will be deleted. Those using Woodstox in Xstream have DTD support enabled by default, at least that's the way how the vulnerability in woodstox was found, see [Xstream fuzz target](https://github.com/google/oss-fuzz/blob/master/projects/xstream/XmlFuzzer.java).

[dockter34]

    We have requested that one will remain for woodstox (CVE-2022-40152), and that the duplicates (CVE-2022-40153, CVE-2022-40154, CVE-2022-40155 and CVE-2022-40156) will be deleted. Those using Woodstox in Xstream have DTD support enabled by default, at least that's the way how the vulnerability in woodstox was found, see [Xstream fuzz target](https://github.com/google/oss-fuzz/blob/master/projects/xstream/XmlFuzzer.java).

One will remain for Xstream (CVE-2022-40151) which is still open, see https://github.com/x-stream/xstream/issues/314.

Originally posted by @henryrneh in https://github.com/x-stream/xstream/issues/304#issuecomment-1293654236

[Lonzak]

We have requested that [...] that the duplicates (CVE-2022-40153, CVE-2022-40154, CVE-2022-40155 and CVE-2022-40156) will be deleted

You have requested it where? At MITRE corporation?

Update: Ok found it myself - the CVEs have been REJECTED at MITRE:

[REJECT] DO NOT USE THIS CANDIDATE NUMBER. Reason: This CVE has been rejected as it was incorrectly assigned. All references and descriptions in this candidate have been removed to prevent accidental usage.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40153 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40154 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40155 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40156