CVE-2022-32533 - OpenCVE

Apache Jetspeed-2 does not sufficiently filter untrusted user input by default leading to a number of issues including XSS, CSRF, XXE, and SSRF. Setting the configuration option "xss.filter.post = true" may mitigate these issues. NOTE: Apache Jetspeed is a dormant project of Apache Portals and no updates will be provided for this issue

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Jetspeed

Configuration 1 [-]

cpe:2.3:a:apache:jetspeed:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2022/07/06/1
https://lists.apache.org/thread/d3g248pr03x8rvmh8p2t3xdlw0wn5dz2
https://www.openwall.com/lists/oss-security/2022/07/06/1

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2022-07-06T09:40:12

Updated: 2024-08-03T07:46:43.528Z

Reserved: 2022-06-07T00:00:00

Link: CVE-2022-32533

Vulnrichment

Updated: 2024-08-03T07:46:43.528Z

NVD

Status : Modified

Published: 2022-07-06T10:15:09.943

Modified: 2024-08-03T08:15:40.327

Link: CVE-2022-32533

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Apache Portals", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "Jetspeed 2.3.1"}]}], "credits": [{"lang": "en", "value": "Thanks to RunningSnail for reporting."}], "descriptions": [{"lang": "en", "value": "Apache Jetspeed-2 does not sufficiently filter untrusted user input by default leading to a number of issues including XSS, CSRF, XXE, and SSRF. Setting the configuration option \"xss.filter.post = true\" may mitigate these issues. NOTE: Apache Jetspeed is a dormant project of Apache Portals and no updates will be provided for this issue"}], "metrics": [{"other": {"content": {"other": "moderate"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Cross-Site Scripting (XSS); CWE-352: Cross-Site Request Forgery (CSRF); CWE-918: Server-Side Request Forgery (SSRF); CWE-611: XML eXternal Entities (XXE)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-06T11:06:11", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread/d3g248pr03x8rvmh8p2t3xdlw0wn5dz2"}, {"tags": ["x_refsource_MISC"], "url": "https://www.openwall.com/lists/oss-security/2022/07/06/1"}, {"name": "[oss-security] 20220706 CVE-2022-32533: Apache Portals Jetspeed XSS, CSRF, SSRF, and XXE issues", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2022/07/06/1"}], "source": {"discovery": "UNKNOWN"}, "tags": ["unsupported-when-assigned"], "title": "Apache Portals Jetspeed XSS, CSRF, SSRF, and XXE issues", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2022-32533", "STATE": "PUBLIC", "TITLE": "Apache Portals Jetspeed XSS, CSRF, SSRF, and XXE issues"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Portals", "version": {"version_data": [{"version_affected": "=", "version_name": "Jetspeed", "version_value": "2.3.1"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "Thanks to RunningSnail for reporting."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "** UNSUPPORTED WHEN ASSIGNED ** Apache Jetspeed-2 does not sufficiently filter untrusted user input by default leading to a number of issues including XSS, CSRF, XXE, and SSRF. Setting the configuration option \"xss.filter.post = true\" may mitigate these issues. NOTE: Apache Jetspeed is a dormant project of Apache Portals and no updates will be provided for this issue."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "moderate"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Cross-Site Scripting (XSS); CWE-352: Cross-Site Request Forgery (CSRF); CWE-918: Server-Side Request Forgery (SSRF); CWE-611: XML eXternal Entities (XXE)"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread/d3g248pr03x8rvmh8p2t3xdlw0wn5dz2", "refsource": "MISC", "url": "https://lists.apache.org/thread/d3g248pr03x8rvmh8p2t3xdlw0wn5dz2"}, {"name": "https://www.openwall.com/lists/oss-security/2022/07/06/1", "refsource": "MISC", "url": "https://www.openwall.com/lists/oss-security/2022/07/06/1"}, {"name": "[oss-security] 20220706 CVE-2022-32533: Apache Portals Jetspeed XSS, CSRF, SSRF, and XXE issues", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/07/06/1"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"affected": [{"vendor": "apache", "product": "portals_jetspeed", "cpes": ["cpe:2.3:a:apache:portals_jetspeed:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2.3.1", "status": "affected"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-07-17T19:35:55.841119Z", "id": "CVE-2022-32533", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-17T19:43:42.902Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:46:43.528Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread/d3g248pr03x8rvmh8p2t3xdlw0wn5dz2"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.openwall.com/lists/oss-security/2022/07/06/1"}, {"name": "[oss-security] 20220706 CVE-2022-32533: Apache Portals Jetspeed XSS, CSRF, SSRF, and XXE issues", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/07/06/1"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-32533", "datePublished": "2022-07-06T09:40:12", "dateReserved": "2022-06-07T00:00:00", "dateUpdated": "2024-08-03T07:46:43.528Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/d3g248pr03x8rvmh8p2t3xdlw0wn5dz2", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://www.openwall.com/lists/oss-security/2022/07/06/1", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2022/07/06/1", "name": "[oss-security] 20220706 CVE-2022-32533: Apache Portals Jetspeed XSS, CSRF, SSRF, and XXE issues", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:46:43.528Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-32533", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-17T19:35:55.841119Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:apache:portals_jetspeed:*:*:*:*:*:*:*:*"], "vendor": "apache", "product": "portals_jetspeed", "versions": [{"status": "affected", "version": "2.3.1"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-17T19:43:17.757Z"}}], "cna": {"tags": ["unsupported-when-assigned"], "title": "Apache Portals Jetspeed XSS, CSRF, SSRF, and XXE issues", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "value": "Thanks to RunningSnail for reporting."}], "metrics": [{"other": {"type": "unknown", "content": {"other": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Portals", "versions": [{"status": "affected", "version": "Jetspeed 2.3.1"}]}], "references": [{"url": "https://lists.apache.org/thread/d3g248pr03x8rvmh8p2t3xdlw0wn5dz2", "tags": ["x_refsource_MISC"]}, {"url": "https://www.openwall.com/lists/oss-security/2022/07/06/1", "tags": ["x_refsource_MISC"]}, {"url": "http://www.openwall.com/lists/oss-security/2022/07/06/1", "name": "[oss-security] 20220706 CVE-2022-32533: Apache Portals Jetspeed XSS, CSRF, SSRF, and XXE issues", "tags": ["mailing-list", "x_refsource_MLIST"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "Apache Jetspeed-2 does not sufficiently filter untrusted user input by default leading to a number of issues including XSS, CSRF, XXE, and SSRF. Setting the configuration option \"xss.filter.post = true\" may mitigate these issues. NOTE: Apache Jetspeed is a dormant project of Apache Portals and no updates will be provided for this issue"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Cross-Site Scripting (XSS); CWE-352: Cross-Site Request Forgery (CSRF); CWE-918: Server-Side Request Forgery (SSRF); CWE-611: XML eXternal Entities (XXE)"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2022-07-06T11:06:11"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "Thanks to RunningSnail for reporting."}], "impact": [{"other": "moderate"}], "source": {"discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_name": "Jetspeed", "version_value": "2.3.1", "version_affected": "="}]}, "product_name": "Apache Portals"}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://lists.apache.org/thread/d3g248pr03x8rvmh8p2t3xdlw0wn5dz2", "name": "https://lists.apache.org/thread/d3g248pr03x8rvmh8p2t3xdlw0wn5dz2", "refsource": "MISC"}, {"url": "https://www.openwall.com/lists/oss-security/2022/07/06/1", "name": "https://www.openwall.com/lists/oss-security/2022/07/06/1", "refsource": "MISC"}, {"url": "http://www.openwall.com/lists/oss-security/2022/07/06/1", "name": "[oss-security] 20220706 CVE-2022-32533: Apache Portals Jetspeed XSS, CSRF, SSRF, and XXE issues", "refsource": "MLIST"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "** UNSUPPORTED WHEN ASSIGNED ** Apache Jetspeed-2 does not sufficiently filter untrusted user input by default leading to a number of issues including XSS, CSRF, XXE, and SSRF. Setting the configuration option \"xss.filter.post = true\" may mitigate these issues. NOTE: Apache Jetspeed is a dormant project of Apache Portals and no updates will be provided for this issue."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Cross-Site Scripting (XSS); CWE-352: Cross-Site Request Forgery (CSRF); CWE-918: Server-Side Request Forgery (SSRF); CWE-611: XML eXternal Entities (XXE)"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-32533", "STATE": "PUBLIC", "TITLE": "Apache Portals Jetspeed XSS, CSRF, SSRF, and XXE issues", "ASSIGNER": "security@apache.org"}}}}, "cveMetadata": {"cveId": "CVE-2022-32533", "state": "PUBLISHED", "dateUpdated": "2024-08-03T07:46:43.528Z", "dateReserved": "2022-06-07T00:00:00", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2022-07-06T09:40:12", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:jetspeed:*:*:*:*:*:*:*:*", "matchCriteriaId": "D926FB46-D037-44CC-8A01-F54C4DEE5EE7", "versionStartIncluding": "2.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "security@apache.org", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "Apache Jetspeed-2 does not sufficiently filter untrusted user input by default leading to a number of issues including XSS, CSRF, XXE, and SSRF. Setting the configuration option \"xss.filter.post = true\" may mitigate these issues. NOTE: Apache Jetspeed is a dormant project of Apache Portals and no updates will be provided for this issue"}, {"lang": "es", "value": "** NO SOPORTADO CUANDO SE ASIGN\u00d3 ** Apache Jetspeed-2 no filtra suficientemente la entrada del usuario no confiable por defecto, lo que conlleva a una serie de problemas como XSS, CSRF, XXE y SSRF. Establecer la opci\u00f3n de configuraci\u00f3n \"xss.filter.post = true\" puede mitigar estos problemas. NOTA: Apache Jetspeed es un proyecto inactivo de Apache Portals y no ser\u00e1n proporcionadas actualizaciones para este problema"}], "id": "CVE-2022-32533", "lastModified": "2024-08-03T08:15:40.327", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2022-07-06T10:15:09.943", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/07/06/1"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/d3g248pr03x8rvmh8p2t3xdlw0wn5dz2"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2022/07/06/1"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@apache.org", "type": "Secondary"}]}