Lucene search

[email protected]CVE-2022-0861

HistoryMar 23, 2022 - 3:15 p.m.

CVE-2022-0861

2022-03-2315:15:08

CWE-611

[email protected]

web.nvd.nist.gov

2292

cve-2022-0861

xml

extended entity

vulnerability

mcafee

epolicy orchestrator

epo

remote administrator

attack

upload

malicious file

confidential information

data alteration

5.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

3.8 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

4.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.8%

JSON

A XML Extended entity vulnerability in McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote administrator attacker to upload a malicious XML file through the extension import functionality. The impact is limited to some access to confidential information and some ability to alter data.

Affected configurations

NVD

Node

mcafeeepolicy_orchestratorRange<5.10.0

mcafeeepolicy_orchestratorMatch5.10.0-

mcafeeepolicy_orchestratorMatch5.10.0update_1

mcafeeepolicy_orchestratorMatch5.10.0update_10

mcafeeepolicy_orchestratorMatch5.10.0update_11

mcafeeepolicy_orchestratorMatch5.10.0update_12

mcafeeepolicy_orchestratorMatch5.10.0update_2

mcafeeepolicy_orchestratorMatch5.10.0update_3

mcafeeepolicy_orchestratorMatch5.10.0update_4

mcafeeepolicy_orchestratorMatch5.10.0update_5

mcafeeepolicy_orchestratorMatch5.10.0update_6

mcafeeepolicy_orchestratorMatch5.10.0update_7

mcafeeepolicy_orchestratorMatch5.10.0update_8

mcafeeepolicy_orchestratorMatch5.10.0update_9

CPENameOperatorVersion
mcafee:epolicy_orchestratormcafee epolicy orchestratorlt5.10.0

CPE	Name	Operator	Version
mcafee:epolicy_orchestrator	mcafee epolicy orchestrator	lt	5.10.0

CNA Affected

[
  {
    "product": "McAfee ePolicy Orchestrator (ePO)",
    "vendor": "McAfee,LLC",
    "versions": [
      {
        "lessThan": "5.10 CU 13",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

kc.mcafee.com/corporate/index?page=content&id=SB10379

5.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

3.8 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

4.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.8%

JSON

Related for CVE-2022-0861

cvelist1 prion1 nvd1 nessus1