CVE-2022-2838 : In Eclipse Sphinx™ before version 0.13.1, Apache Xerces XML Parser was used wi

In Eclipse Sphinx™ before version 0.13.1, Apache Xerces XML Parser was used without disabling processing of referenced external entities allowing the injection of arbitrary definitions which is able to access local files and expose their contents via HTTP requests.

Published 2022-08-16 10:15:08

Updated 2022-08-18 11:53:16

Source MITRE

View at NVD, CVE.org

Vulnerability category: XML external entity (XXE) injection

Products affected by CVE-2022-2838

Eclipse » Sphinx
Versions from including (>=) 0.7.0 and before (<) 0.13.1
cpe:2.3:a:eclipse:sphinx:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-2838

EPSS FAQ

0.09%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 28 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-2838

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	3.9	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None

CWE ids for CVE-2022-2838

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Assigned by:
- cve@mitre.org (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2022-2838

https://bugs.eclipse.org/580542

Issue Tracking;Permissions Required;Vendor Advisory

Jump to

Vulnerability Details : CVE-2022-2838

Products affected by CVE-2022-2838

Exploit prediction scoring system (EPSS) score for CVE-2022-2838

CVSS scores for CVE-2022-2838

CWE ids for CVE-2022-2838

References for CVE-2022-2838