CVE-2022-34269

Published: Feb 29, 2024Modified: Apr 16, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

An issue was discovered in RWS WorldServer before 11.7.3. An authenticated, remote attacker can perform a ws-legacy/load_dtd?system_id= blind SSRF attack to deploy JSP code to the Apache Axis service running on the localhost interface, leading to command execution.

Affected (1)

Products: Rws: Worldserver

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Rws Worldserver	Before 11.7.3

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (4)

https://www.rws.com/localization/products/trados-enterprise/worldserver/

Source: cve@mitre.org

Product

https://www.triskelelabs.com/vulnerabilities-in-rws-worldserver

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.rws.com/localization/products/trados-enterprise/worldserver/

Source: af854a3a-2127-422b-91ae-364da2661108

Product

https://www.triskelelabs.com/vulnerabilities-in-rws-worldserver

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.