CVE-2022-2414

pki-core: access to external entities when parsing XML can lead to XXE

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.

El acceso a entidades externas cuando son analizados documentos XML puede conllevar a ataques de tipo XML external entity (XXE). Este fallo permite a un atacante remoto recuperar potencialmente el contenido de archivos arbitrarios mediante el envío de peticiones HTTP especialmente diseñadas

A flaw was found in pki-core. Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.

*Credits: N/A

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-07-14 CVE Reserved
2022-07-29 CVE Published
2022-08-18 First Exploit
2024-07-13 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-611: Improper Restriction of XML External Entity Reference

CAPEC

References (6)

URL	Tag	Source

URL	Date	SRC
https://github.com/amitlttwo/CVE-2022-2414-Proof-Of-Concept	2022-12-06
https://github.com/satyasai1460/CVE-2022-2414	2023-10-05
https://github.com/superhac/CVE-2022-2414-POC	2022-08-18

URL	Date	SRC
https://github.com/dogtagpki/pki/pull/4021	2022-08-04

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2022-2414	2023-05-31
https://bugzilla.redhat.com/show_bug.cgi?id=2104676	2023-05-31

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Dogtagpki Search vendor "Dogtagpki"		Dogtagpki Search vendor "Dogtagpki" for product "Dogtagpki"				10.5.18 Search vendor "Dogtagpki" for product "Dogtagpki" and version "10.5.18"		-		Affected
Dogtagpki Search vendor "Dogtagpki"		Dogtagpki Search vendor "Dogtagpki" for product "Dogtagpki"				10.7.4 Search vendor "Dogtagpki" for product "Dogtagpki" and version "10.7.4"		-		Affected
Dogtagpki Search vendor "Dogtagpki"		Dogtagpki Search vendor "Dogtagpki" for product "Dogtagpki"				10.8.3 Search vendor "Dogtagpki" for product "Dogtagpki" and version "10.8.3"		-		Affected
Dogtagpki Search vendor "Dogtagpki"		Dogtagpki Search vendor "Dogtagpki" for product "Dogtagpki"				10.11.2 Search vendor "Dogtagpki" for product "Dogtagpki" and version "10.11.2"		-		Affected
Dogtagpki Search vendor "Dogtagpki"		Dogtagpki Search vendor "Dogtagpki" for product "Dogtagpki"				10.12.4 Search vendor "Dogtagpki" for product "Dogtagpki" and version "10.12.4"		-		Affected
Dogtagpki Search vendor "Dogtagpki"		Dogtagpki Search vendor "Dogtagpki" for product "Dogtagpki"				11.0.5 Search vendor "Dogtagpki" for product "Dogtagpki" and version "11.0.5"		-		Affected
Dogtagpki Search vendor "Dogtagpki"		Dogtagpki Search vendor "Dogtagpki" for product "Dogtagpki"				11.1.0 Search vendor "Dogtagpki" for product "Dogtagpki" and version "11.1.0"		-		Affected