CVE-2022-21949

CWE-611 — XML External Entity (XXE)CWE-6656 documents6 sources

Severity

8.8HIGH

EPSS

1.6%

top 18.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Suse Open Build Service Opensuse Open Build Service

Timeline

PublishedMay 3

Latest updateMay 4

Description

A Improper Restriction of XML External Entity Reference vulnerability in SUSE Open Build Service allows remote attackers to reference external entities in certain operations. This can be used to gain information from the server that can be abused to escalate to Admin privileges on OBS. This issue affects: SUSE Open Build Service Open Build Service versions prior to 2.10.13.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5suse/open_build_serviceOpen Build Service — 2.10.13

▶NVDopensuse/open_build_service< 2.10.13

▶Debianruby-xmlhash< 1.3.6-3.1

🔴Vulnerability Details

GHSA

GHSA-3wrh-hc8c-4jpw: A Improper Restriction of XML External Entity Reference vulnerability in SUSE Open Build Service allows remote attackers to reference external entitie↗2022-05-04

▶

CVEList

Multiple XXE vulnerabilities in OBS↗2022-05-03

▶

OSV

CVE-2022-21949: A Improper Restriction of XML External Entity Reference vulnerability in SUSE Open Build Service allows remote attackers to reference external entitie↗2022-05-03

▶

📋Vendor Advisories

Debian

CVE-2022-21949: ruby-xmlhash - A Improper Restriction of XML External Entity Reference vulnerability in SUSE Op...↗2022

▶