Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-25312

An XML external entity (XXE) injection vulnerability was discovered in the Any23 RDFa XSLTStylesheet extractor and is known to affect Any23 versions < 2.7. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. This issue is fixed in Apache Any23 2.7.

Published

2022-03-05T00:15:07.783

Last Modified

2024-11-21T06:51:58.573

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.1 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

4.9

Weaknesses

Type: Primary
CWE-611

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	any23	< 2.7	Yes

References

http://www.openwall.com/lists/oss-security/2022/03/04/2 Mailing List, Patch, Third Party Advisory ([email protected])
https://lists.apache.org/thread/y6cm5n3ksohsrhzqknqhzy7p3mtkyk23 Mailing List, Vendor Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2022/03/04/2 Mailing List, Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread/y6cm5n3ksohsrhzqknqhzy7p3mtkyk23 Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)