CVE-2022-45326 - Vulnerability Details - OpenCVE

An XML external entity (XXE) injection vulnerability in Kwoksys Kwok Information Server before v2.9.5.SP31 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00105.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Kwoksys	Information Server

Configuration 1 [-]

OR	cpe:2.3:a:kwoksys:information_server::::::::
	cpe:2.3:a:kwoksys:information_server:2.9.5:sp23::::::
	cpe:2.3:a:kwoksys:information_server:2.9.5:sp25::::::
	cpe:2.3:a:kwoksys:information_server:2.9.5:sp26::::::
	cpe:2.3:a:kwoksys:information_server:2.9.5:sp29::::::
	cpe:2.3:a:kwoksys:information_server:2.9.5:sp30::::::

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-48225	An XML external entity (XXE) injection vulnerability in Kwoksys Kwok Information Server before v2.9.5.SP31 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://www.kwoksys.com/wiki/index.php?title=Release_Notes
https://www.navsec.net/2022/11/12/kwoksys-xxe.html

History

Wed, 23 Apr 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-12-06T00:00:00.000Z

Updated: 2025-04-23T14:18:36.654Z

Reserved: 2022-11-14T00:00:00.000Z

Link: CVE-2022-45326

Vulnrichment

Updated: 2024-08-03T14:09:56.890Z

NVD

Status : Modified

Published: 2022-12-06T17:15:11.057

Modified: 2025-04-23T15:15:53.797

Link: CVE-2022-45326

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-45326", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-04-23T14:18:36.654Z", "dateReserved": "2022-11-14T00:00:00.000Z", "datePublished": "2022-12-06T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2022-12-06T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "An XML external entity (XXE) injection vulnerability in Kwoksys Kwok Information Server before v2.9.5.SP31 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://www.kwoksys.com/wiki/index.php?title=Release_Notes"}, {"url": "https://www.navsec.net/2022/11/12/kwoksys-xxe.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:09:56.890Z"}, "title": "CVE Program Container", "references": [{"url": "http://www.kwoksys.com/wiki/index.php?title=Release_Notes", "tags": ["x_transferred"]}, {"url": "https://www.navsec.net/2022/11/12/kwoksys-xxe.html", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-611", "lang": "en", "description": "CWE-611 Improper Restriction of XML External Entity Reference"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T14:18:07.400008Z", "id": "CVE-2022-45326", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T14:18:36.654Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.kwoksys.com/wiki/index.php?title=Release_Notes", "tags": ["x_transferred"]}, {"url": "https://www.navsec.net/2022/11/12/kwoksys-xxe.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:09:56.890Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-45326", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-23T14:18:07.400008Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T14:18:29.597Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "http://www.kwoksys.com/wiki/index.php?title=Release_Notes"}, {"url": "https://www.navsec.net/2022/11/12/kwoksys-xxe.html"}], "descriptions": [{"lang": "en", "value": "An XML external entity (XXE) injection vulnerability in Kwoksys Kwok Information Server before v2.9.5.SP31 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2022-12-06T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2022-45326", "state": "PUBLISHED", "dateUpdated": "2025-04-23T14:18:36.654Z", "dateReserved": "2022-11-14T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2022-12-06T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kwoksys:information_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "406A7032-975A-4DD1-B1C8-19445BEB203C", "versionEndExcluding": "2.9.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:kwoksys:information_server:2.9.5:sp23:*:*:*:*:*:*", "matchCriteriaId": "3C33D444-187A-4703-BD87-EE8B748C1BCE", "vulnerable": true}, {"criteria": "cpe:2.3:a:kwoksys:information_server:2.9.5:sp25:*:*:*:*:*:*", "matchCriteriaId": "A4E1CF97-7E82-4F85-BC10-97EABDAC57D9", "vulnerable": true}, {"criteria": "cpe:2.3:a:kwoksys:information_server:2.9.5:sp26:*:*:*:*:*:*", "matchCriteriaId": "8E36B49B-02CB-46A7-8492-7AC70D6E6ED2", "vulnerable": true}, {"criteria": "cpe:2.3:a:kwoksys:information_server:2.9.5:sp29:*:*:*:*:*:*", "matchCriteriaId": "D55EB26E-CE1A-407C-97A6-B5C04EDC15AF", "vulnerable": true}, {"criteria": "cpe:2.3:a:kwoksys:information_server:2.9.5:sp30:*:*:*:*:*:*", "matchCriteriaId": "4F15C079-2333-43C9-8328-564F1F3D0EB2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An XML external entity (XXE) injection vulnerability in Kwoksys Kwok Information Server before v2.9.5.SP31 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks."}, {"lang": "es", "value": "Una vulnerabilidad de inyecci\u00f3n de entidad externa XML (XXE) en Kwoksys Kwok Information Server anterior a v2.9.5.SP31 permite a usuarios remotos autenticados realizar ataques de server-side request forgery (SSRF)."}], "id": "CVE-2022-45326", "lastModified": "2025-04-23T15:15:53.797", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2022-12-06T17:15:11.057", "references": [{"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "http://www.kwoksys.com/wiki/index.php?title=Release_Notes"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://www.navsec.net/2022/11/12/kwoksys-xxe.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "http://www.kwoksys.com/wiki/index.php?title=Release_Notes"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://www.navsec.net/2022/11/12/kwoksys-xxe.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-611"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}