Upstream information
CVE-2022-2414 at MITRE
Description
Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.
Overall state of this security issue: Does not affect SUSE products
This issue is currently rated as having important severity.
CVSS v3 Scores
| National Vulnerability Database |
Base Score | 7.5 |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Attack Vector | Network |
Attack Complexity | Low |
Privileges Required | None |
User Interaction | None |
Scope | Unchanged |
Confidentiality Impact | High |
Integrity Impact | None |
Availability Impact | None |
CVSSv3 Version | 3.1 |
No SUSE Bugzilla entries cross referenced.
No SUSE Security Announcements cross referenced.
List of released packages
Product(s) | Fixed package version(s) | References |
SUSE Liberty Linux 7 | pki-base >= 10.5.18-24.el7_9
pki-base-java >= 10.5.18-24.el7_9
pki-ca >= 10.5.18-24.el7_9
pki-javadoc >= 10.5.18-24.el7_9
pki-kra >= 10.5.18-24.el7_9
pki-server >= 10.5.18-24.el7_9
pki-symkey >= 10.5.18-24.el7_9
pki-tools >= 10.5.18-24.el7_9
| Patchnames: RHSA-2022:8799 |
SUSE Liberty Linux 8 | apache-commons-collections >= 3.2.2-10.module+el8.1.0+3366+6dfb954c
apache-commons-lang >= 2.6-21.module+el8.1.0+3366+6dfb954c
apache-commons-net >= 3.6-3.module+el8.3.0+6805+72837426
bea-stax-api >= 1.2.0-16.module+el8.1.0+3366+6dfb954c
glassfish-fastinfoset >= 1.2.13-9.module+el8.1.0+3366+6dfb954c
glassfish-jaxb-api >= 2.2.12-8.module+el8.1.0+3366+6dfb954c
glassfish-jaxb-core >= 2.2.11-11.module+el8.1.0+3366+6dfb954c
glassfish-jaxb-runtime >= 2.2.11-11.module+el8.1.0+3366+6dfb954c
glassfish-jaxb-txw2 >= 2.2.11-11.module+el8.1.0+3366+6dfb954c
idm-pki-acme >= 10.12.0-4.module+el8.7.0+16126+c5918a27
idm-pki-base >= 10.12.0-4.module+el8.7.0+16126+c5918a27
idm-pki-base-java >= 10.12.0-4.module+el8.7.0+16126+c5918a27
idm-pki-ca >= 10.12.0-4.module+el8.7.0+16126+c5918a27
idm-pki-kra >= 10.12.0-4.module+el8.7.0+16126+c5918a27
idm-pki-server >= 10.12.0-4.module+el8.7.0+16126+c5918a27
idm-pki-symkey >= 10.12.0-4.module+el8.7.0+16126+c5918a27
idm-pki-tools >= 10.12.0-4.module+el8.7.0+16126+c5918a27
jackson-annotations >= 2.10.0-1.module+el8.2.0+5059+3eb3af25
jackson-core >= 2.10.0-1.module+el8.2.0+5059+3eb3af25
jackson-databind >= 2.10.0-1.module+el8.2.0+5059+3eb3af25
jackson-jaxrs-json-provider >= 2.9.9-1.module+el8.1.0+3832+9784644d
jackson-jaxrs-providers >= 2.9.9-1.module+el8.1.0+3832+9784644d
jackson-module-jaxb-annotations >= 2.7.6-4.module+el8.1.0+3366+6dfb954c
jakarta-commons-httpclient >= 3.1-28.module+el8.1.0+3366+6dfb954c
javassist >= 3.18.1-8.module+el8.1.0+3366+6dfb954c
javassist-javadoc >= 3.18.1-8.module+el8.1.0+3366+6dfb954c
jss >= 4.9.4-1.module+el8.7.0+15532+95bac9ee
jss-javadoc >= 4.9.4-1.module+el8.7.0+15532+95bac9ee
ldapjdk >= 4.23.0-1.module+el8.5.0+11983+6ba118b4
ldapjdk-javadoc >= 4.23.0-1.module+el8.5.0+11983+6ba118b4
pki-servlet-4.0-api >= 9.0.50-1.module+el8.7.0+15761+f86c9a56
pki-servlet-engine >= 9.0.50-1.module+el8.7.0+15761+f86c9a56
python-nss-doc >= 1.0.1-10.module+el8.1.0+3366+6dfb954c
python3-idm-pki >= 10.12.0-4.module+el8.7.0+16126+c5918a27
python3-nss >= 1.0.1-10.module+el8.1.0+3366+6dfb954c
relaxngDatatype >= 2011.1-7.module+el8.1.0+3366+6dfb954c
resteasy >= 3.0.26-6.module+el8.4.0+8891+bb8828ef
slf4j >= 1.7.25-4.module+el8.1.0+3366+6dfb954c
slf4j-jdk14 >= 1.7.25-4.module+el8.1.0+3366+6dfb954c
stax-ex >= 1.7.7-8.module+el8.2.0+5723+4574fbff
tomcatjss >= 7.7.1-1.module+el8.6.0+13291+248751b1
velocity >= 1.7-24.module+el8.1.0+3366+6dfb954c
xalan-j2 >= 2.7.1-38.module+el8.1.0+3366+6dfb954c
xerces-j2 >= 2.11.0-34.module+el8.1.0+3366+6dfb954c
xml-commons-apis >= 1.4.01-25.module+el8.1.0+3366+6dfb954c
xml-commons-resolver >= 1.2-26.module+el8.1.0+3366+6dfb954c
xmlstreambuffer >= 1.5.4-8.module+el8.2.0+5723+4574fbff
xsom >= 0-19.20110809svn.module+el8.1.0+3366+6dfb954c
| Patchnames: RHSA-2022:7470 |
SUSE Liberty Linux 9 | pki-acme >= 11.0.6-2.el9_0
pki-base >= 11.0.6-2.el9_0
pki-base-java >= 11.0.6-2.el9_0
pki-ca >= 11.0.6-2.el9_0
pki-kra >= 11.0.6-2.el9_0
pki-server >= 11.0.6-2.el9_0
pki-symkey >= 11.0.6-2.el9_0
pki-tools >= 11.0.6-2.el9_0
python3-pki >= 11.0.6-2.el9_0
| Patchnames: RHSA-2022:7326 |
SUSE Timeline for this CVE
CVE page created: Thu Jul 14 22:00:08 2022
CVE page last modified: Mon Oct 30 18:15:36 2023