CVE-2022-50899 — MEDIUM (6.5)

Q: How severe is CVE-2022-50899?

CVE-2022-50899 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-50899?

Check the references section above for vendor advisories and patch information. Affected products include: Osgeo Geonetwork.

Vulnerability Description

Geonetwork 3.10 through 4.2.0 contains an XML external entity vulnerability in PDF rendering that allows attackers to retrieve arbitrary files from the server. Attackers can exploit the insecure XML parser by crafting a malicious XML document with external entity references to read system files through the baseURL parameter in PDF creation requests.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Osgeo	Geonetwork	>= 3.10.0, <= 4.2.0

Related Weaknesses (CWE)

CWE-611

References

https://geonetwork-opensource.org/Product
https://www.exploit-db.com/exploits/50982ExploitVDB Entry
https://www.vulncheck.com/advisories/geonetwork-xml-external-entity-xxeThird Party Advisory

FAQ

What is CVE-2022-50899?

CVE-2022-50899 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Geonetwork 3.10 through 4.2.0 contains an XML external entity vulnerability in PDF rendering that allows attackers to retrieve arbitrary files from the server. Attackers can exploit the insecure XML p...

How severe is CVE-2022-50899?

CVE-2022-50899 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-50899?

Check the references section above for vendor advisories and patch information. Affected products include: Osgeo Geonetwork.