CVE-2022-43473

A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve a malicious XML payload to trigger this vulnerability.

CVSS v3 5.8 MEDIUM

5.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 3.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1685	Exploit Third Party Advisory
https://www.manageengine.com/itom/advisory/cve-2022-43473.html	Patch Vendor Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1685	Exploit Third Party Advisory
https://www.manageengine.com/itom/advisory/cve-2022-43473.html	Patch Vendor Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1685

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:zohocorp:manageengine_opmanager::::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126000::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126001::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126002::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126004::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126005::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126100::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126101::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126102::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126103::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126104::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126107::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126108::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126109::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126110::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126113::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126114::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126115::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126116::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126117::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126118::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126119::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126120::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126121::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126122::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126130::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126131::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126132::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126134::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126135::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126136::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126139::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126141::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126147::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126148::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126149::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126150::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126151::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126154::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126155::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126162::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126163::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126164::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126165::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126166::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126167::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.6:build126168::::::

Configuration 2 (hide)

OR	cpe:2.3:a:zohocorp:manageengine_opmanager_plus::::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_plus:12.6:build126001::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_plus:12.6:build126002::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_plus:12.6:build126100::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_plus:12.6:build126103::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_plus:12.6:build126104::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_plus:12.6:build126107::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_plus:12.6:build126113::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_plus:12.6:build126117::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_plus:12.6:build126119::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_plus:12.6:build126122::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_plus:12.6:build126139::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_plus:12.6:build126140::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_plus:12.6:build126141::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_plus:12.6:build126154::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_plus:12.6:build126155::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_plus:12.6:build126264::::::

Configuration 3 (hide)

OR	cpe:2.3:a:zohocorp:manageengine_opmanager_msp::::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_msp:12.6:build126001::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_msp:12.6:build126002::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_msp:12.6:build126100::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_msp:12.6:build126103::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_msp:12.6:build126104::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_msp:12.6:build126107::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_msp:12.6:build126113::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_msp:12.6:build126117::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_msp:12.6:build126119::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_msp:12.6:build126122::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_msp:12.6:build126139::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_msp:12.6:build126140::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_msp:12.6:build126141::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_msp:12.6:build126154::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_msp:12.6:build126155::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager_msp:12.6:build126264::::::

History

21 Nov 2024, 07:26

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~5.4~~	v2 : unknown v3 : 5.8
References		() https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1685 -
References	~~() https://talosintelligence.com/vulnerability_reports/TALOS-2022-1685 - Exploit, Third Party Advisory~~	() https://talosintelligence.com/vulnerability_reports/TALOS-2022-1685 - Exploit, Third Party Advisory
References	~~() https://www.manageengine.com/itom/advisory/cve-2022-43473.html - Patch, Vendor Advisory~~	() https://www.manageengine.com/itom/advisory/cve-2022-43473.html - Patch, Vendor Advisory

07 Nov 2023, 03:53

Type	Values Removed	Values Added
Summary	A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve a malicious XML payload to trigger this vulnerability.	A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve a malicious XML payload to trigger this vulnerability.

Information

Published : 2023-03-30 17:15

Updated : 2024-11-21 07:26

NVD link : CVE-2022-43473

Mitre link : CVE-2022-43473

CVE.ORG link : CVE-2022-43473

JSON object : View

Products Affected

zohocorp

manageengine_opmanager_msp
manageengine_opmanager_plus
manageengine_opmanager

CWE

CWE-611

Improper Restriction of XML External Entity Reference

5.8 /10