CVE-2022-2414
published 2022-07-29CVE-2022-2414: Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially…
PriorityP185high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
85.32%
99.7th percentile
Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | dogtag-pki | — | — |
| dogtagpki | dogtagpki | — | — |
| dogtagpki | dogtagpki | — | — |
| dogtagpki | dogtagpki | — | — |
| dogtagpki | dogtagpki | — | — |
| dogtagpki | dogtagpki | — | — |
| dogtagpki | dogtagpki | — | — |
| dogtagpki | dogtagpki | — | — |
| tenda | ax12_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlPOST /ca/rest/certrequests HTTP/1.1
sigma
HTTP POST to /ca/rest/certrequests with Content-Type: application/xml containing DOCTYPE and ENTITY declarations
- →Look for HTTP POST requests to /ca/rest/certrequests with Content-Type: application/xml containing XML DOCTYPE declarations with external ENTITY references (XXE payload pattern: <!DOCTYPE ... <!ENTITY ent SYSTEM ...> with &ent; in body)
- →A successful XXE exploitation response will contain a HTTP 400 Bad Request with Content-Type: application/xml and a PKIException body that includes file contents (e.g. /etc/passwd contents with root:.*:0:0: pattern) ↗
- →Response header Content-Type: application/xml combined with HTTP 400 status and PKIException in body indicates a vulnerable FreeIPA/Dogtag PKI endpoint that processed the XXE payload
- →Shodan/FOFA queries to identify exposed FreeIPA instances: search for title 'Identity Management' with html containing 'FreeIPA'
- →Google dork to identify exposed FreeIPA instances: intitle:"identity management" html:"freeipa"
- ·The XXE vulnerability exists in pki-core (Dogtag PKI / FreeIPA). The affected CPE is cpe:2.3:a:dogtagpki:dogtagpki:10.5.18. Red Hat Certificate System 10 and RHEL 6 (out of support scope) are listed as affected packages.
- ·Ubuntu advisory notes this issue only affected Ubuntu 16.04 LTS for CVE-2022-2414, meaning patched versions in later Ubuntu releases are not vulnerable. ↗
- ·Debian bullseye status is listed as 'open', meaning the vulnerability may remain unpatched on that platform at time of source publication. ↗
- ·Red Hat states there is no known mitigation; the only remediation is to update the affected package. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH
vulncheck7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu5.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Dogtag PKI vulnerabilities
vendor_ubuntu·2024-12-10·CVSS 5.9
CVE-2020-25715 [MEDIUM] Dogtag PKI vulnerabilities
Title: Dogtag PKI vulnerabilities
Summary: Several security issues were fixed in dogtag-pki.
Christina Fu discovered that Dogtag PKI accidentally enabled a mock
authentication plugin by default. An attacker could potentially use
this flaw to bypass the regular authentication process and trick the
CA server into issuing certificates. This issue only affected Ubuntu
16.04 LTS. (CVE-2017-7537)
It was discovered that Dogtag PKI did not properly sanitize user
input. An attacker could possibly use this issue to perform cross site
scripting and obtain sensitive information. This issue only affected
Ubuntu 22.04 LTS. (CVE-2020-25715)
It was discovered that the XML parser did not properly handle entity
expansion. A remote attacker could potentially retrieve the content of
arbitrary files by sen
Red Hat
pki-core: access to external entities when parsing XML can lead to XXE
vendor_redhat·2022-06-10·CVSS 7.5
CVE-2022-2414 [HIGH] CWE-611 pki-core: access to external entities when parsing XML can lead to XXE
pki-core: access to external entities when parsing XML can lead to XXE
Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.
A flaw was found in pki-core. Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.
Mitigation: There is no known mitigation for this issue, please update the affected package as soon as possible.
Package: pki-core (Red Hat Certificate System 10) - Affected
Package: pki-core (Red Hat Enterprise Linux 6) -
Debian
CVE-2022-2414: dogtag-pki - Access to external entities when parsing XML documents can lead to XML external ...
vendor_debian·2022·CVSS 7.5
CVE-2022-2414 [HIGH] CVE-2022-2414: dogtag-pki - Access to external entities when parsing XML documents can lead to XML external ...
Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.
Scope: local
bullseye: open
OSV
dogtag-pki vulnerabilities
osv·2024-12-10·CVSS 7.5
CVE-2017-7537 [HIGH] dogtag-pki vulnerabilities
dogtag-pki vulnerabilities
Christina Fu discovered that Dogtag PKI accidentally enabled a mock
authentication plugin by default. An attacker could potentially use
this flaw to bypass the regular authentication process and trick the
CA server into issuing certificates. This issue only affected Ubuntu
16.04 LTS. (CVE-2017-7537)
It was discovered that Dogtag PKI did not properly sanitize user
input. An attacker could possibly use this issue to perform cross site
scripting and obtain sensitive information. This issue only affected
Ubuntu 22.04 LTS. (CVE-2020-25715)
It was discovered that the XML parser did not properly handle entity
expansion. A remote attacker could potentially retrieve the content of
arbitrary files by sending specially crafted HTTP requests. This issue
only affected Ubun
GHSA
GHSA-vc9r-97qq-w3qh: There is an unauthorized buffer overflow vulnerability in Tenda AX12 v22
ghsa_unreviewed·2023-01-05·CVSS 7.5
CVE-2022-45995 [HIGH] CWE-120 GHSA-vc9r-97qq-w3qh: There is an unauthorized buffer overflow vulnerability in Tenda AX12 v22
There is an unauthorized buffer overflow vulnerability in Tenda AX12 v22.03.01.21 _ cn. This vulnerability can cause the web service not to restart or even execute arbitrary code. It is a different vulnerability from CVE-2022-2414.
GHSA
GHSA-vjf8-hc3f-mpw4: Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks
ghsa_unreviewed·2022-07-30
CVE-2022-2414 [HIGH] CWE-611 GHSA-vjf8-hc3f-mpw4: Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks
Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.
OSV
CVE-2022-2414: Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks
osv·2022-07-29·CVSS 7.5
CVE-2022-2414 [HIGH] CVE-2022-2414: Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks
Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.
VulnCheck
dogtagpki dogtagpki Improper Restriction of XML External Entity Reference
vulncheck·2022·CVSS 7.5
CVE-2022-2414 [HIGH] dogtagpki dogtagpki Improper Restriction of XML External Entity Reference
dogtagpki dogtagpki Improper Restriction of XML External Entity Reference
Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.
Affected: dogtagpki dogtagpki
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-15&host_type=src&vulnerability=cve-2022-2414; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-21&host_type=src&vulnerability=cve-2022-2414; https://das
No detection rules found.
Nuclei
FreeIPA - XML Entity Injection
nuclei·CVSS 7.5
CVE-2022-2414 [HIGH] FreeIPA - XML Entity Injection
FreeIPA - XML Entity Injection
Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.
Template:
id: CVE-2022-2414
info:
name: FreeIPA - XML Entity Injection
author: DhiyaneshDk
severity: high
description: |
Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.
impact: |
An attacker can exploit this vulnerability to gain unauthorized access to sensitive information stored on the server.
remediation: |
Apply the latest security pat
HackerOne
XML E██████ternal Entity (XXE) Injection in ███
hackerone·2026-01-12·CVSS 7.5
CVE-2022-2414 [HIGH] XML E██████ternal Entity (XXE) Injection in ███
XML E██████ternal Entity (XXE) Injection in ███
Description
CVE-2022-2414 describes an XML E██████ternal Entity (XXE) injection vulnerability. XXE vulnerabilities occur when an application parses XML input that contains a reference to an e██████████ternal entity. When the XML parser is improperly configured to process e███████ternal entities, it can allow an attacker to███████
Read arbitrary files on the server.
Perform server-side request forgery (SSRF).
Conduct denial-of-service (DoS) attacks.
E█████████ecute remote code (in rare cases).
Host name█████ ██████████
POC████████
request█████████
```
POST /ca/rest/certrequests HTTP/1.1
Host███ ██████████
Sec-Ch-Ua███████ "Google Chrome";v="125", "Chromium";v="125", "Not.A/Brand";v="24"
Sec-Ch-Ua-Mobile██████████ ?0
Sec-Ch-Ua-Platform█████
Greynoiseio
NoiseLetter April 2024
blogs_greynoiseio
NoiseLetter April 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2022-07-29
Published
Exploited in the wild