// For flags

CVE-2022-2414

pki-core: access to external entities when parsing XML can lead to XXE

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

5
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.

El acceso a entidades externas cuando son analizados documentos XML puede conllevar a ataques de tipo XML external entity (XXE). Este fallo permite a un atacante remoto recuperar potencialmente el contenido de archivos arbitrarios mediante el envío de peticiones HTTP especialmente diseñadas

A flaw was found in pki-core. Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.

Christina Fu discovered that Dogtag PKI accidentally enabled a mock authentication plugin by default. An attacker could potentially use this flaw to bypass the regular authentication process and trick the CA server into issuing certificates. This issue only affected Ubuntu 16.04 LTS. It was discovered that Dogtag PKI did not properly sanitize user input. An attacker could possibly use this issue to perform cross site scripting and obtain sensitive information. This issue only affected Ubuntu 22.04 LTS.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-07-14 CVE Reserved
  • 2022-07-29 CVE Published
  • 2022-08-18 First Exploit
  • 2024-08-03 CVE Updated
  • 2025-05-04 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-611: Improper Restriction of XML External Entity Reference
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Dogtagpki
Search vendor "Dogtagpki"
 Dogtagpki
Search vendor "Dogtagpki" for product "Dogtagpki"
 10.5.18
Search vendor "Dogtagpki" for product "Dogtagpki" and version "10.5.18"
-
Affected
Dogtagpki
Search vendor "Dogtagpki"
 Dogtagpki
Search vendor "Dogtagpki" for product "Dogtagpki"
 10.7.4
Search vendor "Dogtagpki" for product "Dogtagpki" and version "10.7.4"
-
Affected
Dogtagpki
Search vendor "Dogtagpki"
 Dogtagpki
Search vendor "Dogtagpki" for product "Dogtagpki"
 10.8.3
Search vendor "Dogtagpki" for product "Dogtagpki" and version "10.8.3"
-
Affected
Dogtagpki
Search vendor "Dogtagpki"
 Dogtagpki
Search vendor "Dogtagpki" for product "Dogtagpki"
 10.11.2
Search vendor "Dogtagpki" for product "Dogtagpki" and version "10.11.2"
-
Affected
Dogtagpki
Search vendor "Dogtagpki"
 Dogtagpki
Search vendor "Dogtagpki" for product "Dogtagpki"
 10.12.4
Search vendor "Dogtagpki" for product "Dogtagpki" and version "10.12.4"
-
Affected
Dogtagpki
Search vendor "Dogtagpki"
 Dogtagpki
Search vendor "Dogtagpki" for product "Dogtagpki"
 11.0.5
Search vendor "Dogtagpki" for product "Dogtagpki" and version "11.0.5"
-
Affected
Dogtagpki
Search vendor "Dogtagpki"
 Dogtagpki
Search vendor "Dogtagpki" for product "Dogtagpki"
 11.1.0
Search vendor "Dogtagpki" for product "Dogtagpki" and version "11.1.0"
-
Affected