CVE-2022-1700
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Improper Restriction of XML External Entity Reference ('XXE') vulnerability in the Policy Engine of Forcepoint Data Loss Prevention (DLP), which is also leveraged by Forcepoint One Endpoint (F1E), Web Security Content Gateway, Email Security with DLP enabled, and Cloud Security Gateway prior to June 20, 2022. The XML parser in the Policy Engine was found to be improperly configured to support external entities and external DTD (Document Type Definitions), which can lead to an XXE attack. This issue affects: Forcepoint Data Loss Prevention (DLP) versions prior to 8.8.2. Forcepoint One Endpoint (F1E) with Policy Engine versions prior to 8.8.2. Forcepoint Web Security Content Gateway versions prior to 8.5.5. Forcepoint Email Security with DLP enabled versions prior to 8.5.5. Forcepoint Cloud Security Gateway prior to June 20, 2022.
Una vulnerabilidad de restricción inapropiada de tipo XML External Entity Reference ("XXE") en el motor de políticas de Forcepoint Data Loss Prevention (DLP), que también es aprovechado por Forcepoint One Endpoint (F1E), Web Security Content Gateway, Email Security con DLP activado y Cloud Security Gateway antes del 20 de junio de 2022. Se ha detectado que el analizador XML del motor de políticas no está configurado correctamente para admitir entidades externas y DTD (Document Type Definitions) externas, lo que puede conllevar a un ataque de tipo XXE. Este problema afecta a: Las versiones de Forcepoint Data Loss Prevention (DLP) anteriores a 8.8.2. Forcepoint One Endpoint (F1E) con versiones de Policy Engine anteriores a 8.8.2. Versiones de Forcepoint Web Security Content Gateway anteriores a 8.5.5. Forcepoint Email Security con versiones DLP habilitadas anteriores a 8.5.5. Forcepoint Cloud Security Gateway anterior al 20 de junio de 2022
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-05-12 CVE Reserved
- 2022-09-12 CVE Published
- 2024-04-04 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-611: Improper Restriction of XML External Entity Reference
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://help.forcepoint.com/security/CVE/CVE-2022-1700.html | 2022-09-15 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Forcepoint Search vendor "Forcepoint" | Cloud Security Gateway Search vendor "Forcepoint" for product "Cloud Security Gateway" | < 2022-06-20 Search vendor "Forcepoint" for product "Cloud Security Gateway" and version " < 2022-06-20" | - |
Affected
| ||||||
| Forcepoint Search vendor "Forcepoint" | Data Loss Prevention Search vendor "Forcepoint" for product "Data Loss Prevention" | < 8.8.2 Search vendor "Forcepoint" for product "Data Loss Prevention" and version " < 8.8.2" | - |
Affected
| ||||||
| Forcepoint Search vendor "Forcepoint" | Email Security Search vendor "Forcepoint" for product "Email Security" | < 8.5.5 Search vendor "Forcepoint" for product "Email Security" and version " < 8.5.5" | - |
Affected
| ||||||
| Forcepoint Search vendor "Forcepoint" | One Endpoint With Policy Engine Search vendor "Forcepoint" for product "One Endpoint With Policy Engine" | < 8.8.2 Search vendor "Forcepoint" for product "One Endpoint With Policy Engine" and version " < 8.8.2" | - |
Affected
| ||||||
| Forcepoint Search vendor "Forcepoint" | Web Security Content Gateway Search vendor "Forcepoint" for product "Web Security Content Gateway" | < 8.5.5 Search vendor "Forcepoint" for product "Web Security Content Gateway" and version " < 8.5.5" | - |
Affected
| ||||||