CVE-2022-32458 (GCVE-0-2022-32458)
Vulnerability from cvelistv5 – Published: 2022-07-20 02:01 – Updated: 2024-09-16 18:39
VLAI
Title
Data Systems Consulting Co., Ltd. BPM - XML External Entity (XXE) Injection
Summary
Digiwin BPM has a XML External Entity Injection (XXE) vulnerability due to insufficient validation for user input. An unauthenticated remote attacker can perform XML injection attack to access arbitrary system files.
Severity
7.5 (High)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-6288-49e01-1.html | x_refsource_MISC |
| https://www.chtsecurity.com/news/09757883-fea6-4a… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Data Systems Consulting Co., Ltd. | BPM |
Affected:
unspecified , ≤ 5.8.6.1
(custom)
|
Date Public
2022-07-11 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:39:51.076Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-6288-49e01-1.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.chtsecurity.com/news/09757883-fea6-4aff-9e22-8ae8c4f8f7bb"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "BPM",
"vendor": "Data Systems Consulting Co., Ltd.",
"versions": [
{
"lessThanOrEqual": "5.8.6.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-07-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Digiwin BPM has a XML External Entity Injection (XXE) vulnerability due to insufficient validation for user input. An unauthenticated remote attacker can perform XML injection attack to access arbitrary system files."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference (\u0027XXE\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-09T20:07:16.000Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-6288-49e01-1.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.chtsecurity.com/news/09757883-fea6-4aff-9e22-8ae8c4f8f7bb"
}
],
"solutions": [
{
"lang": "en",
"value": "Update version to 5.8.8.1"
}
],
"source": {
"advisory": "TVN-202206003",
"discovery": "EXTERNAL"
},
"title": "Data Systems Consulting Co., Ltd. BPM - XML External Entity (XXE) Injection",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2022-07-11T01:27:00.000Z",
"ID": "CVE-2022-32458",
"STATE": "PUBLIC",
"TITLE": "Data Systems Consulting Co., Ltd. BPM - XML External Entity (XXE) Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "BPM",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "5.8.6.1"
}
]
}
}
]
},
"vendor_name": "Data Systems Consulting Co., Ltd."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Digiwin BPM has a XML External Entity Injection (XXE) vulnerability due to insufficient validation for user input. An unauthenticated remote attacker can perform XML injection attack to access arbitrary system files."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-611 Improper Restriction of XML External Entity Reference (\u0027XXE\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-6288-49e01-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-6288-49e01-1.html"
},
{
"name": "https://www.chtsecurity.com/news/09757883-fea6-4aff-9e22-8ae8c4f8f7bb",
"refsource": "MISC",
"url": "https://www.chtsecurity.com/news/09757883-fea6-4aff-9e22-8ae8c4f8f7bb"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update version to 5.8.8.1"
}
],
"source": {
"advisory": "TVN-202206003",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2022-32458",
"datePublished": "2022-07-20T02:01:30.078Z",
"dateReserved": "2022-06-06T00:00:00.000Z",
"dateUpdated": "2024-09-16T18:39:22.085Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2022-32458",
"date": "2026-05-31",
"epss": "0.01071",
"percentile": "0.78026"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:digiwin:business_process_management:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"5.8.8.1\", \"matchCriteriaId\": \"619DB3E6-07FE-4F18-A00C-8247958923A4\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Digiwin BPM has a XML External Entity Injection (XXE) vulnerability due to insufficient validation for user input. An unauthenticated remote attacker can perform XML injection attack to access arbitrary system files.\"}, {\"lang\": \"es\", \"value\": \"Digiwin BPM presenta una vulnerabilidad de Inyecci\\u00f3n de tipo XML External Entity Injection (XXE) debido a que no es comprobado suficientemente la entrada del usuario. Un atacante remoto no autenticado puede llevar a cabo un ataque de inyecci\\u00f3n XML para acceder a archivos arbitrarios del sistema\"}]",
"id": "CVE-2022-32458",
"lastModified": "2024-11-21T07:06:23.470",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"twcert@cert.org.tw\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
"published": "2022-07-20T02:15:07.557",
"references": "[{\"url\": \"https://www.chtsecurity.com/news/09757883-fea6-4aff-9e22-8ae8c4f8f7bb\", \"source\": \"twcert@cert.org.tw\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.twcert.org.tw/tw/cp-132-6288-49e01-1.html\", \"source\": \"twcert@cert.org.tw\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.chtsecurity.com/news/09757883-fea6-4aff-9e22-8ae8c4f8f7bb\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.twcert.org.tw/tw/cp-132-6288-49e01-1.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
"sourceIdentifier": "twcert@cert.org.tw",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"twcert@cert.org.tw\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-611\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-611\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-32458\",\"sourceIdentifier\":\"twcert@cert.org.tw\",\"published\":\"2022-07-20T02:15:07.557\",\"lastModified\":\"2024-11-21T07:06:23.470\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Digiwin BPM has a XML External Entity Injection (XXE) vulnerability due to insufficient validation for user input. An unauthenticated remote attacker can perform XML injection attack to access arbitrary system files.\"},{\"lang\":\"es\",\"value\":\"Digiwin BPM presenta una vulnerabilidad de Inyecci\u00f3n de tipo XML External Entity Injection (XXE) debido a que no es comprobado suficientemente la entrada del usuario. Un atacante remoto no autenticado puede llevar a cabo un ataque de inyecci\u00f3n XML para acceder a archivos arbitrarios del sistema\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"twcert@cert.org.tw\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"twcert@cert.org.tw\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-611\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-611\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:digiwin:business_process_management:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.8.8.1\",\"matchCriteriaId\":\"619DB3E6-07FE-4F18-A00C-8247958923A4\"}]}]}],\"references\":[{\"url\":\"https://www.chtsecurity.com/news/09757883-fea6-4aff-9e22-8ae8c4f8f7bb\",\"source\":\"twcert@cert.org.tw\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.twcert.org.tw/tw/cp-132-6288-49e01-1.html\",\"source\":\"twcert@cert.org.tw\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.chtsecurity.com/news/09757883-fea6-4aff-9e22-8ae8c4f8f7bb\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.twcert.org.tw/tw/cp-132-6288-49e01-1.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…