CVE-2022-31261

{"id": "CVE-2022-31261", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2022-05-24T15:15:08.480", "references": [{"url": "https://docs.morpheusdata.com/en/5.4.4/release_notes/current.html", "tags": ["Release Notes", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://support.morpheusdata.com/s/?language=en_US", "tags": ["Not Applicable", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://docs.morpheusdata.com/en/5.4.4/release_notes/current.html", "tags": ["Release Notes", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://support.morpheusdata.com/s/?language=en_US", "tags": ["Not Applicable", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "An XXE issue was discovered in Morpheus through 5.2.16 and 5.4.x through 5.4.4. A successful attack requires a SAML identity provider to be configured. In order to exploit the vulnerability, the attacker must know the unique SAML callback ID of the configured identity source. A remote attacker can send a request crafted with an XXE payload to invoke a malicious DTD hosted on a system that they control. This results in reading local files that the application has access to."}, {"lang": "es", "value": "Se ha detectado un problema de tipo XXE en Morpheus versiones hasta 5.2.16 y desde la 5.4.x hasta 5.4.4. Un ataque con \u00e9xito requiere que sea configurado un proveedor de identidad SAML. Para explotar la vulnerabilidad, el atacante debe conocer el ID de devoluci\u00f3n de llamada SAML \u00fanico del origen de identidad configurado. Un atacante remoto puede enviar una petici\u00f3n dise\u00f1ada con una carga \u00fatil de tipo XXE para invocar un DTD malicioso alojado en un sistema que controla. Esto resulta en la lectura de archivos locales a los que la aplicaci\u00f3n presenta acceso"}], "lastModified": "2024-11-21T07:04:14.887", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:morpheusdata:morpheus:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B5D09AD2-B901-4578-88C3-D0B98D800253", "versionEndIncluding": "5.2.16"}, {"criteria": "cpe:2.3:a:morpheusdata:morpheus:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "278EEF9E-3CC6-48E5-A723-A9D0174BBEE7", "versionEndIncluding": "5.4.4", "versionStartIncluding": "5.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}