Lucene search

[email protected]CVE-2022-2838

HistoryAug 16, 2022 - 10:15 a.m.

CVE-2022-2838

2022-08-1610:15:08

CWE-611

[email protected]

web.nvd.nist.gov

eclipse sphinx

apache xerces

cve-2022-2838

xml parser

security vulnerability

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

48.2%

JSON

In Eclipse Sphinx™ before version 0.13.1, Apache Xerces XML Parser was used without disabling processing of referenced external entities allowing the injection of arbitrary definitions which is able to access local files and expose their contents via HTTP requests.

Affected configurations

NVD

Node

eclipsesphinxRange0.7.0–0.13.1

CPENameOperatorVersion
eclipse:sphinxeclipse sphinxlt0.13.1

CPE	Name	Operator	Version
eclipse:sphinx	eclipse sphinx	lt	0.13.1

CNA Affected

[
  {
    "product": "Eclipse Sphinx",
    "vendor": "The Eclipse Foundation",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "0.7.0",
        "versionType": "custom"
      },
      {
        "lessThan": "0.13.1",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

bugs.eclipse.org/580542

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

48.2%

JSON

Related for CVE-2022-2838

cvelist1 nvd1 prion1