CVE-2022-45326

An XML external entity (XXE) injection vulnerability in Kwoksys Kwok Information Server before v2.9.5.SP31 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks.

CVSS v3 4.9 MEDIUM

4.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://www.kwoksys.com/wiki/index.php?title=Release_Notes	Release Notes Vendor Advisory
https://www.navsec.net/2022/11/12/kwoksys-xxe.html	Exploit Patch Third Party Advisory
http://www.kwoksys.com/wiki/index.php?title=Release_Notes	Release Notes Vendor Advisory
https://www.navsec.net/2022/11/12/kwoksys-xxe.html	Exploit Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:kwoksys:information_server::::::::
	cpe:2.3:a:kwoksys:information_server:2.9.5:sp23::::::
	cpe:2.3:a:kwoksys:information_server:2.9.5:sp25::::::
	cpe:2.3:a:kwoksys:information_server:2.9.5:sp26::::::
	cpe:2.3:a:kwoksys:information_server:2.9.5:sp29::::::
	cpe:2.3:a:kwoksys:information_server:2.9.5:sp30::::::

History

21 Nov 2024, 07:29

Type	Values Removed	Values Added
References	~~() http://www.kwoksys.com/wiki/index.php?title=Release_Notes - Release Notes, Vendor Advisory~~	() http://www.kwoksys.com/wiki/index.php?title=Release_Notes - Release Notes, Vendor Advisory
References	~~() https://www.navsec.net/2022/11/12/kwoksys-xxe.html - Exploit, Patch, Third Party Advisory~~	() https://www.navsec.net/2022/11/12/kwoksys-xxe.html - Exploit, Patch, Third Party Advisory

Information

Published : 2022-12-06 17:15

Updated : 2024-11-21 07:29

NVD link : CVE-2022-45326

Mitre link : CVE-2022-45326

CVE.ORG link : CVE-2022-45326

JSON object : View

Products Affected

kwoksys

information_server

CWE

CWE-611

Improper Restriction of XML External Entity Reference

{"id": "CVE-2022-45326", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.2}]}, "published": "2022-12-06T17:15:11.057", "references": [{"url": "http://www.kwoksys.com/wiki/index.php?title=Release_Notes", "tags": ["Release Notes", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.navsec.net/2022/11/12/kwoksys-xxe.html", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.kwoksys.com/wiki/index.php?title=Release_Notes", "tags": ["Release Notes", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.navsec.net/2022/11/12/kwoksys-xxe.html", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "An XML external entity (XXE) injection vulnerability in Kwoksys Kwok Information Server before v2.9.5.SP31 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks."}, {"lang": "es", "value": "Una vulnerabilidad de inyecci\u00f3n de entidad externa XML (XXE) en Kwoksys Kwok Information Server anterior a v2.9.5.SP31 permite a usuarios remotos autenticados realizar ataques de server-side request forgery (SSRF)."}], "lastModified": "2024-11-21T07:29:03.110", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:kwoksys:information_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "406A7032-975A-4DD1-B1C8-19445BEB203C", "versionEndExcluding": "2.9.5"}, {"criteria": "cpe:2.3:a:kwoksys:information_server:2.9.5:sp23:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3C33D444-187A-4703-BD87-EE8B748C1BCE"}, {"criteria": "cpe:2.3:a:kwoksys:information_server:2.9.5:sp25:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A4E1CF97-7E82-4F85-BC10-97EABDAC57D9"}, {"criteria": "cpe:2.3:a:kwoksys:information_server:2.9.5:sp26:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8E36B49B-02CB-46A7-8492-7AC70D6E6ED2"}, {"criteria": "cpe:2.3:a:kwoksys:information_server:2.9.5:sp29:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D55EB26E-CE1A-407C-97A6-B5C04EDC15AF"}, {"criteria": "cpe:2.3:a:kwoksys:information_server:2.9.5:sp30:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4F15C079-2333-43C9-8328-564F1F3D0EB2"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}