Lucene search

EclipseCVE-2022-2838

HistoryAug 16, 2022 - 10:15 a.m.

CVE-2022-2838

2022-08-1610:15:08

CWE-611

eclipse

web.nvd.nist.gov

eclipse sphinx

apache xerces

cve-2022-2838

xml parser

security vulnerability

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.5

Confidence

High

EPSS

0.001

Percentile

48.1%

JSON

In Eclipse Sphinx™ before version 0.13.1, Apache Xerces XML Parser was used without disabling processing of referenced external entities allowing the injection of arbitrary definitions which is able to access local files and expose their contents via HTTP requests.

Affected configurations

Nvd

Node

eclipsesphinxRange0.7.0–0.13.1

VendorProductVersionCPE
eclipsesphinx*cpe:2.3:a:eclipse:sphinx:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
eclipse	sphinx	*	cpe:2.3:a:eclipse:sphinx::::::::

CNA Affected

[
  {
    "product": "Eclipse Sphinx",
    "vendor": "The Eclipse Foundation",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "0.7.0",
        "versionType": "custom"
      },
      {
        "lessThan": "0.13.1",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

bugs.eclipse.org/580542

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.5

Confidence

High

EPSS

0.001

Percentile

48.1%

JSON

Related for CVE-2022-2838