Server side request forgery (ssrf)

2022-10-1810:15:00

PRIOn knowledge base

www.prio-n.com

xxe

vulnerability

epo

ssrf

api

exploit

remote attacker

5.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

46.9%

JSON

An External XML entity (XXE) vulnerability in ePO prior to 5.10 Update 14 can lead to an unauthenticated remote attacker to potentially trigger a Server Side Request Forgery attack. This can be exploited by mimicking the Agent Handler call to ePO and passing the carefully constructed XML file through the API.

CPENameOperatorVersion
epolicy_orchestratoreq5.10.0 update-1
epolicy_orchestratoreq5.10.0 update-2
epolicy_orchestratoreq5.10.0 update-3
epolicy_orchestratoreq5.10.0 update-4
epolicy_orchestratoreq5.10.0 update-5
epolicy_orchestratoreq5.10.0 update-6
epolicy_orchestratoreq5.10.0
epolicy_orchestratorlt5.10.0
epolicy_orchestratoreq5.10.0 update-7
epolicy_orchestratoreq5.10.0 update-8

Name	Operator	Version
epolicy_orchestrator	eq	5.10.0 update-1
epolicy_orchestrator	eq	5.10.0 update-2
epolicy_orchestrator	eq	5.10.0 update-3
epolicy_orchestrator	eq	5.10.0 update-4
epolicy_orchestrator	eq	5.10.0 update-5
epolicy_orchestrator	eq	5.10.0 update-6
epolicy_orchestrator	eq	5.10.0
epolicy_orchestrator	lt	5.10.0
epolicy_orchestrator	eq	5.10.0 update-7
epolicy_orchestrator	eq	5.10.0 update-8