CVE-2022-3338 — XML External Entity (XXE) Injection in Epolicy Orchestrator

CWE-611 — XML External Entity (XXE) Injection3 documents3 sources

Severity

5.4MEDIUMNVD

EPSS

0.4%

top 42.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Trellix Epolicy Orchestrator Mcafee Epolicy Orchestrator

Timeline

PublishedOct 18

Description

An External XML entity (XXE) vulnerability in ePO prior to 5.10 Update 14 can lead to an unauthenticated remote attacker to potentially trigger a Server Side Request Forgery attack. This can be exploited by mimicking the Agent Handler call to ePO and passing the carefully constructed XML file through the API.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:NExploitability: 2.2 | Impact: 2.7

Affected Packages2 packages

▶NVDmcafee/epolicy_orchestrator< 5.10.0+1

▶CVEListV5trellix/trellix_epolicy_orchestratorunspecified — 5.10 Update 14

🔴Vulnerability Details

CVEList

XXE in Trellix ePO server↗2022-10-18

▶

GHSA

GHSA-g436-fj5g-4gw9: An External XML entity (XXE) vulnerability in ePO prior to 5↗2022-10-18

▶