CVE-2022-25312

Published: Mar 5, 2022Modified: Nov 21, 2024

9.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Exploitability: 3.9 / Impact: 5.2

Source: NVD

Description

An XML external entity (XXE) injection vulnerability was discovered in the Any23 RDFa XSLTStylesheet extractor and is known to affect Any23 versions < 2.7. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. This issue is fixed in Apache Any23 2.7.

Affected (1)

Products: Apache: Any23

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache Any23	Before 2.7

Related CWEs

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (4)

http://www.openwall.com/lists/oss-security/2022/03/04/2

Source: security@apache.org

Mailing ListPatchThird Party Advisory

https://lists.apache.org/thread/y6cm5n3ksohsrhzqknqhzy7p3mtkyk23

Source: security@apache.org

Mailing ListVendor Advisory

http://www.openwall.com/lists/oss-security/2022/03/04/2

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListPatchThird Party Advisory

https://lists.apache.org/thread/y6cm5n3ksohsrhzqknqhzy7p3mtkyk23

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListVendor Advisory

Timeline

No history available yet.