Lucene search
Veracode Vulnerability DatabaseVERACODE:40183HistoryApr 19, 2023 - 7:15 a.m.
Privilege Escalation
2023-04-1907:15:46
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
7
privilege escalation
apache sling
software vulnerability
requestdispatcher api
0.002 Low
EPSS
Percentile
58.3%
org.apache.sling:org.apache.sling.engine is vulnerable to Privilege Escalation. When an attacker is able to include a resource with specific content-type and control the include path, it allows the attacker to elevate privileges and acquire administrative power, because SlingRequestDispatcher doesn’t correctly implement the RequestDispatcher API.
| CPE | Name | Operator | Version |
|---|---|---|---|
| apache sling engine | le | 2.13.0 | |
| apache sling engine | le | 2.13.0 |
References
www.openwall.com/lists/oss-security/2023/04/18/6
github.com/advisories/GHSA-mg46-f9h5-g27x
github.com/apache/sling-org-apache-sling-engine/commit/5d8df331c2ef9eae1cec386ccdbe32c9968b104c
github.com/apache/sling-org-apache-sling-engine/pull/29
issues.apache.org/jira/browse/SLING-11722
lists.apache.org/thread/hhp611hltby3whk03vx2mv7cmy3vs0ok
Related
cve
cve
CVE-2022-45064
2023-04-13 11:15:06
osv
osv
Apache Sling Engine vulnerable to cross-site scripting (XSS) that can lead to privilege escalation
2023-04-13 12:30:35
CVE-2022-45064
2023-04-13 11:15:06
prion
prion
Cross site scripting
2023-04-13 11:15:00
github
github
nvd
nvd
CVE-2022-45064
2023-04-13 11:15:06
cvelist
cvelist
CVE-2022-45064 Apache Sling Engine: Include-based XSS
2023-04-13 10:01:14