We have requested that one will remain for woodstox (CVE-2022-40152), and that the duplicates (CVE-2022-40153, CVE-2022-40154, CVE-2022-40155 and CVE-2022-40156) will be deleted. Those using Woodstox in Xstream have DTD support enabled by default, at least that's the way how the vulnerability in woodstox was found, see [Xstream fuzz target](https://github.com/google/oss-fuzz/blob/master/projects/xstream/XmlFuzzer.java).

[dockter34]

    We have requested that one will remain for woodstox (CVE-2022-40152), and that the duplicates (CVE-2022-40153, CVE-2022-40154, CVE-2022-40155 and CVE-2022-40156) will be deleted. Those using Woodstox in Xstream have DTD support enabled by default, at least that's the way how the vulnerability in woodstox was found, see [Xstream fuzz target](https://github.com/google/oss-fuzz/blob/master/projects/xstream/XmlFuzzer.java).

One will remain for Xstream (CVE-2022-40151) which is still open, see #314.

Originally posted by @henryrneh in #304 (comment)

[Lonzak]

We have requested that [...] that the duplicates (CVE-2022-40153, CVE-2022-40154, CVE-2022-40155 and CVE-2022-40156) will be deleted

You have requested it where? At MITRE corporation?

Update:
Ok found it myself - the CVEs have been REJECTED at MITRE:

** [REJECT]** DO NOT USE THIS CANDIDATE NUMBER. Reason: This CVE has been rejected as it was incorrectly assigned. All references and descriptions in this candidate have been removed to prevent accidental usage.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40153
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40154
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40155
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40156