CVE-2022-2458

XML external entity injection(XXE) is a vulnerability that allows an attacker to interfere with an application's processing of XML data. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. Here, XML external entity injection lead to External Service interaction & Internal file read in Business Central and also Kie-Server APIs.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=2107994#c0	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:redhat:process_automation_manager:*:*:*:*:*:*:*:*

History

23 Jun 2023, 18:41

Type	Values Removed	Values Added
CWE	~~CWE-91~~	CWE-611

15 Aug 2022, 19:36

Type	Values Removed	Values Added
First Time		Redhat Redhat process Automation Manager
CPE		cpe:2.3:a:redhat:process_automation_manager::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.2
References	~~(MISC) https://bugzilla.redhat.com/show_bug.cgi?id=2107994#c0 -~~	(MISC) https://bugzilla.redhat.com/show_bug.cgi?id=2107994#c0 - Issue Tracking, Vendor Advisory
CWE		CWE-91

10 Aug 2022, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-08-10 20:15

Updated : 2023-12-10 14:35

NVD link : CVE-2022-2458

Mitre link : CVE-2022-2458

CVE.ORG link : CVE-2022-2458

JSON object : View

Products Affected

redhat

process_automation_manager

CWE

CWE-611

Improper Restriction of XML External Entity Reference

CWE-91

XML Injection (aka Blind XPath Injection)

{"id": "CVE-2022-2458", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 3.9}]}, "published": "2022-08-10T20:15:36.367", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107994#c0", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-611"}]}, {"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-91"}]}], "descriptions": [{"lang": "en", "value": "XML external entity injection(XXE) is a vulnerability that allows an attacker to interfere with an application's processing of XML data. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. Here, XML external entity injection lead to External Service interaction & Internal file read in Business Central and also Kie-Server APIs."}, {"lang": "es", "value": "Una inyecci\u00f3n de tipo XML external entity (XXE) es una vulnerabilidad que permite a un atacante interferir en el procesamiento de datos XML de una aplicaci\u00f3n. Este ataque es producido cuando una entrada XML que contiene una referencia a una entidad externa es procesada por un parser XML d\u00e9bilmente configurado. El software procesa un documento XML que puede contener entidades XML con URIs que resuelven a documentos fuera del \u00e1mbito de control previsto, causando que el producto inserte documentos incorrectos en su salida. En este caso, la inyecci\u00f3n de entidades externas XML conlleva a una interacci\u00f3n de servicios externos y la lectura de archivos internos en Business Central y tambi\u00e9n en las API de Kie-Server"}], "lastModified": "2023-06-23T18:41:19.240", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:process_automation_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "01DAB675-7E6A-4B64-953D-990E3FBC299B", "versionEndExcluding": "7.13.1"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}