CVE-2022-2458

Business-central: Possible XML External Entity Injection attack

Severity Score

8.2

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

XML external entity injection(XXE) is a vulnerability that allows an attacker to interfere with an application's processing of XML data. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. Here, XML external entity injection lead to External Service interaction & Internal file read in Business Central and also Kie-Server APIs.

Una inyección de tipo XML external entity (XXE) es una vulnerabilidad que permite a un atacante interferir en el procesamiento de datos XML de una aplicación. Este ataque es producido cuando una entrada XML que contiene una referencia a una entidad externa es procesada por un parser XML débilmente configurado. El software procesa un documento XML que puede contener entidades XML con URIs que resuelven a documentos fuera del ámbito de control previsto, causando que el producto inserte documentos incorrectos en su salida. En este caso, la inyección de entidades externas XML conlleva a una interacción de servicios externos y la lectura de archivos internos en Business Central y también en las API de Kie-Server

An XML external entity injection(XXE) vulnerability was found in Business Central. This flaw allows an attacker to interfere with an application's processing of XML data. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. Here, the XML external entity injection leads to External Service interaction and an Internal file read in Business Central and Kie-Server APIs.

*Credits: N/A

CVSS Scores

NISTv3.1 8.2

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-07-18 CVE Reserved
2022-08-09 CVE Published
2024-03-01 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-91: XML Injection (aka Blind XPath Injection)
CWE-611: Improper Restriction of XML External Entity Reference

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://bugzilla.redhat.com/show_bug.cgi?id=2107994#c0	2023-06-23
https://access.redhat.com/security/cve/CVE-2022-2458	2022-10-05
https://bugzilla.redhat.com/show_bug.cgi?id=2107994	2022-10-05

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Process Automation Manager Search vendor "Redhat" for product "Process Automation Manager"				< 7.13.1 Search vendor "Redhat" for product "Process Automation Manager" and version " < 7.13.1"		-		Affected