cbcvebase.
CVE-2022-2414
published 2022-07-29

CVE-2022-2414: Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially…

PriorityP185high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
85.32%
99.7th percentile
Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.

Affected

9 ranges
VendorProductVersion rangeFixed in
debiandogtag-pki
dogtagpkidogtagpki
dogtagpkidogtagpki
dogtagpkidogtagpki
dogtagpkidogtagpki
dogtagpkidogtagpki
dogtagpkidogtagpki
dogtagpkidogtagpki
tendaax12_firmware

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /ca/rest/certrequests HTTP/1.1
path/ca/rest/certrequests
sigma
HTTP POST to /ca/rest/certrequests with Content-Type: application/xml containing DOCTYPE and ENTITY declarations
  • Look for HTTP POST requests to /ca/rest/certrequests with Content-Type: application/xml containing XML DOCTYPE declarations with external ENTITY references (XXE payload pattern: <!DOCTYPE ... <!ENTITY ent SYSTEM ...> with &ent; in body)
  • A successful XXE exploitation response will contain a HTTP 400 Bad Request with Content-Type: application/xml and a PKIException body that includes file contents (e.g. /etc/passwd contents with root:.*:0:0: pattern)
  • Response header Content-Type: application/xml combined with HTTP 400 status and PKIException in body indicates a vulnerable FreeIPA/Dogtag PKI endpoint that processed the XXE payload
  • Shodan/FOFA queries to identify exposed FreeIPA instances: search for title 'Identity Management' with html containing 'FreeIPA'
  • Google dork to identify exposed FreeIPA instances: intitle:"identity management" html:"freeipa"
  • ·The XXE vulnerability exists in pki-core (Dogtag PKI / FreeIPA). The affected CPE is cpe:2.3:a:dogtagpki:dogtagpki:10.5.18. Red Hat Certificate System 10 and RHEL 6 (out of support scope) are listed as affected packages.
  • ·Ubuntu advisory notes this issue only affected Ubuntu 16.04 LTS for CVE-2022-2414, meaning patched versions in later Ubuntu releases are not vulnerable.
  • ·Debian bullseye status is listed as 'open', meaning the vulnerability may remain unpatched on that platform at time of source publication.
  • ·Red Hat states there is no known mitigation; the only remediation is to update the affected package.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH
vulncheck7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu5.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.