Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-2458: Possible XML External Entity Injection attack

XML external entity injection(XXE) is a vulnerability that allows an attacker to interfere with an application’s processing of XML data. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. Here, XML external entity injection lead to External Service interaction & Internal file read in Business Central and also Kie-Server APIs.

CVE
#vulnerability#google#linux#red_hat#ibm

Bug 2107994 (CVE-2022-2458) - CVE-2022-2458 Business-central: Possible XML External Entity Injection attack

Summary: CVE-2022-2458 Business-central: Possible XML External Entity Injection attack

Keywords:

Status:

NEW

Alias:

CVE-2022-2458

Product:

Security Response

Classification:

Other

Component:

vulnerability

Sub Component:

Version:

unspecified

Hardware:

All

OS:

Linux

Priority:

medium

Severity:

medium

Target Milestone:

Assignee:

Red Hat Product Security

QA Contact:

Docs Contact:

URL:

Whiteboard:

Depends On:

Blocks:

2107984

TreeView+

depends on / blocked

Reported:

2022-07-18 08:22 UTC by Paramvir jindal

Modified:

2022-08-12 04:37 UTC (History)

CC List:

12 users (show)

Fixed In Version:

Doc Type:

If docs needed, set a value

Doc Text:

An XML external entity injection(XXE) vulnerability was found in Business Central. This flaw allows an attacker to interfere with an application’s processing of XML data. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. Here, the XML external entity injection leads to External Service interaction and an Internal file read in Business Central and Kie-Server APIs.

Clone Of:

Environment:

Last Closed:

Attachments

(Terms of Use)

Add an attachment (proposed patch, testcase, etc.)

Description Paramvir jindal 2022-07-18 08:22:59 UTC

IBM pentesting results : https://docs.google.com/spreadsheets/d/1Iwbhk0lwGoNskLidsY5CXmc5MwKt5VfmJCaX21xyruo

XML external entity injection(XXE) is a vulnerability that allows an attacker to interfere with an application’s processing of XML data. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. Here, XML external entity injection lead to External Service interaction & Internal file read in Business Central and also Kie-Server APIs.

Note You need to log in before you can comment on or make changes to this bug.

Related news

Red Hat Security Advisory 2022-6813-01

Red Hat Security Advisory 2022-6813-01 - Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services. This asynchronous security patch is an update to Red Hat Process Automation Manager 7. Issues addressed include XML injection, bypass, denial of service, and traversal vulnerabilities.

RHSA-2022:6813: Red Hat Security Advisory: Red Hat Process Automation Manager 7.13.1 security update

An update is now available for Red Hat Process Automation Manager. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-7746: chart.js: prototype pollution * CVE-2020-36518: jackson-databind: denial of service via a large depth of nested objects * CVE-2021-23436: immer: type confusion vulnerability can lead to a bypass of CVE-2020-28477 * CVE-2021-44906: minimist: prototype pollution * CVE-2022-0235: node-fetch: exposure of sensitive information to an unauthorized actor * CVE-202...

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907