Vulnerability-Lookup

CNVD-2022-21221

Vulnerability from cnvd - Published: 2022-03-21

Title

Apache Any23代码问题漏洞

Description

Apache Any23是美国阿帕奇（Apache）基金会的一个库、Web 服务和命令行工具。可从各种 Web 文档中提取 RDF 格式的结构化数据。 Any23 2.7之前版本存在代码问题漏洞，攻击者可利用该漏洞干扰应用程序对XML数据的处理，查看应用程序服务器文件系统上的文件，并与应用程序本身可以访问的任何后端或外部系统进行交互。

Severity

中

Patch Name

Apache Any23代码问题漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://lists.apache.org/thread/y6cm5n3ksohsrhzqknqhzy7p3mtkyk23

Reference

http://www.openwall.com/lists/oss-security/2022/03/04/2

Impacted products

Name
Apache any23 <2.7

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-25312"
    }
  },
  "description": "Apache Any23\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u5e93\u3001Web \u670d\u52a1\u548c\u547d\u4ee4\u884c\u5de5\u5177\u3002\u53ef\u4ece\u5404\u79cd Web \u6587\u6863\u4e2d\u63d0\u53d6 RDF \u683c\u5f0f\u7684\u7ed3\u6784\u5316\u6570\u636e\u3002\n\nAny23 2.7\u4e4b\u524d\u7248\u672c\u5b58\u5728\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5e72\u6270\u5e94\u7528\u7a0b\u5e8f\u5bf9XML\u6570\u636e\u7684\u5904\u7406\uff0c\u67e5\u770b\u5e94\u7528\u7a0b\u5e8f\u670d\u52a1\u5668\u6587\u4ef6\u7cfb\u7edf\u4e0a\u7684\u6587\u4ef6\uff0c\u5e76\u4e0e\u5e94\u7528\u7a0b\u5e8f\u672c\u8eab\u53ef\u4ee5\u8bbf\u95ee\u7684\u4efb\u4f55\u540e\u7aef\u6216\u5916\u90e8\u7cfb\u7edf\u8fdb\u884c\u4ea4\u4e92\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://lists.apache.org/thread/y6cm5n3ksohsrhzqknqhzy7p3mtkyk23",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-21221",
  "openTime": "2022-03-21",
  "patchDescription": "Apache Any23\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u5e93\u3001Web \u670d\u52a1\u548c\u547d\u4ee4\u884c\u5de5\u5177\u3002\u53ef\u4ece\u5404\u79cd Web \u6587\u6863\u4e2d\u63d0\u53d6 RDF \u683c\u5f0f\u7684\u7ed3\u6784\u5316\u6570\u636e\u3002\r\n\r\nAny23 2.7\u4e4b\u524d\u7248\u672c\u5b58\u5728\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5e72\u6270\u5e94\u7528\u7a0b\u5e8f\u5bf9XML\u6570\u636e\u7684\u5904\u7406\uff0c\u67e5\u770b\u5e94\u7528\u7a0b\u5e8f\u670d\u52a1\u5668\u6587\u4ef6\u7cfb\u7edf\u4e0a\u7684\u6587\u4ef6\uff0c\u5e76\u4e0e\u5e94\u7528\u7a0b\u5e8f\u672c\u8eab\u53ef\u4ee5\u8bbf\u95ee\u7684\u4efb\u4f55\u540e\u7aef\u6216\u5916\u90e8\u7cfb\u7edf\u8fdb\u884c\u4ea4\u4e92\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Any23\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache any23 \u003c2.7"
  },
  "referenceLink": "http://www.openwall.com/lists/oss-security/2022/03/04/2",
  "serverity": "\u4e2d",
  "submitTime": "2022-03-08",
  "title": "Apache Any23\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2022-25312 (GCVE-0-2022-25312)

Vulnerability from cvelistv5 – Published: 2022-03-04 23:25 – Updated: 2024-08-03 04:36

Title

An XML external entity (XXE) injection vulnerability exists in the Apache Any23 RDFa XSLTStylesheet extractor

Summary

An XML external entity (XXE) injection vulnerability was discovered in the Any23 RDFa XSLTStylesheet extractor and is known to affect Any23 versions < 2.7. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. This issue is fixed in Apache Any23 2.7.

Severity ?

No CVSS data available.

CWE

An XML external entity (XXE) injection vulnerability exists in the Apache Any23 RDFa XSLTStylesheet extractor

Assigner

apache

References

URL

Tags

	https://lists.apache.org/thread/y6cm5n3ksohsrhzqk…	x_refsource_MISC
	http://www.openwall.com/lists/oss-security/2022/03/04/2	mailing-listx_refsource_MLIST

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Any23	Affected: Apache Any23 2.6 , ≤ 2.6 (custom)

Credits

The Apache Any23 Project Management Committee would like to thank Lion Tree a.k.a liontree0110 for reporting this issue.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:36:06.814Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/y6cm5n3ksohsrhzqknqhzy7p3mtkyk23"
          },
          {
            "name": "[oss-security] 20220304 CVE-2022-25312: An XML external entity (XXE) injection vulnerability exists in the Apache Any23 RDFa XSLTStylesheet extractor",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/03/04/2"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Any23",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.6",
              "status": "affected",
              "version": "Apache Any23 2.6",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The Apache Any23 Project Management Committee would like to thank Lion Tree a.k.a liontree0110 for reporting this issue."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An XML external entity (XXE) injection vulnerability was discovered in the Any23 RDFa XSLTStylesheet extractor and is known to affect Any23 versions \u003c 2.7. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application\u0027s processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. This issue is fixed in Apache Any23 2.7."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "An XML external entity (XXE) injection vulnerability exists in the Apache Any23 RDFa XSLTStylesheet extractor",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-03-05T03:06:11",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread/y6cm5n3ksohsrhzqknqhzy7p3mtkyk23"
        },
        {
          "name": "[oss-security] 20220304 CVE-2022-25312: An XML external entity (XXE) injection vulnerability exists in the Apache Any23 RDFa XSLTStylesheet extractor",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/03/04/2"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "An XML external entity (XXE) injection vulnerability exists in the Apache Any23 RDFa XSLTStylesheet extractor",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2022-25312",
          "STATE": "PUBLIC",
          "TITLE": "An XML external entity (XXE) injection vulnerability exists in the Apache Any23 RDFa XSLTStylesheet extractor"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Any23",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "Apache Any23 2.6",
                            "version_value": "2.6"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "The Apache Any23 Project Management Committee would like to thank Lion Tree a.k.a liontree0110 for reporting this issue."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An XML external entity (XXE) injection vulnerability was discovered in the Any23 RDFa XSLTStylesheet extractor and is known to affect Any23 versions \u003c 2.7. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application\u0027s processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. This issue is fixed in Apache Any23 2.7."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {}
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "An XML external entity (XXE) injection vulnerability exists in the Apache Any23 RDFa XSLTStylesheet extractor"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread/y6cm5n3ksohsrhzqknqhzy7p3mtkyk23",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread/y6cm5n3ksohsrhzqknqhzy7p3mtkyk23"
            },
            {
              "name": "[oss-security] 20220304 CVE-2022-25312: An XML external entity (XXE) injection vulnerability exists in the Apache Any23 RDFa XSLTStylesheet extractor",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2022/03/04/2"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2022-25312",
    "datePublished": "2022-03-04T23:25:08",
    "dateReserved": "2022-02-18T00:00:00",
    "dateUpdated": "2024-08-03T04:36:06.814Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2022-21221

CVE-2022-25312 (GCVE-0-2022-25312)

Tags

Sightings

Nomenclature