CVE-2022-43473

Exploit

EPSS 2.02%
Published 30.03.2023 17:15:06
Last modified 21.11.2024 07:26:33
Source talos-cna@cisco.com
Teams watchlist Login
Open Login

A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve 
a malicious XML payload to trigger this vulnerability.

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Zohocorp ≫ Manageengine Opmanager Version < 12.6

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126000

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126001

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126002

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126004

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126005

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126100

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126101

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126102

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126103

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126104

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126107

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126108

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126109

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126110

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126113

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126114

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126115

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126116

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126117

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126118

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126119

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126120

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126121

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126122

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126130

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126131

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126132

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126134

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126135

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126136

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126139

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126141

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126147

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126148

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126149

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126150

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126151

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126154

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126155

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126162

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126163

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126164

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126165

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126166

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126167

Zohocorp ≫ Manageengine Opmanager Version12.6 Updatebuild126168

Zohocorp ≫ Manageengine Opmanager Plus Version < 12.6

Zohocorp ≫ Manageengine Opmanager Plus Version12.6 Updatebuild126001

Zohocorp ≫ Manageengine Opmanager Plus Version12.6 Updatebuild126002

Zohocorp ≫ Manageengine Opmanager Plus Version12.6 Updatebuild126100

Zohocorp ≫ Manageengine Opmanager Plus Version12.6 Updatebuild126103

Zohocorp ≫ Manageengine Opmanager Plus Version12.6 Updatebuild126104

Zohocorp ≫ Manageengine Opmanager Plus Version12.6 Updatebuild126107

Zohocorp ≫ Manageengine Opmanager Plus Version12.6 Updatebuild126113

Zohocorp ≫ Manageengine Opmanager Plus Version12.6 Updatebuild126117

Zohocorp ≫ Manageengine Opmanager Plus Version12.6 Updatebuild126119

Zohocorp ≫ Manageengine Opmanager Plus Version12.6 Updatebuild126122

Zohocorp ≫ Manageengine Opmanager Plus Version12.6 Updatebuild126139

Zohocorp ≫ Manageengine Opmanager Plus Version12.6 Updatebuild126140

Zohocorp ≫ Manageengine Opmanager Plus Version12.6 Updatebuild126141

Zohocorp ≫ Manageengine Opmanager Plus Version12.6 Updatebuild126154

Zohocorp ≫ Manageengine Opmanager Plus Version12.6 Updatebuild126155

Zohocorp ≫ Manageengine Opmanager Plus Version12.6 Updatebuild126264

Zohocorp ≫ Manageengine Opmanager Msp Version < 12.6

Zohocorp ≫ Manageengine Opmanager Msp Version12.6 Updatebuild126001

Zohocorp ≫ Manageengine Opmanager Msp Version12.6 Updatebuild126002

Zohocorp ≫ Manageengine Opmanager Msp Version12.6 Updatebuild126100

Zohocorp ≫ Manageengine Opmanager Msp Version12.6 Updatebuild126103

Zohocorp ≫ Manageengine Opmanager Msp Version12.6 Updatebuild126104

Zohocorp ≫ Manageengine Opmanager Msp Version12.6 Updatebuild126107

Zohocorp ≫ Manageengine Opmanager Msp Version12.6 Updatebuild126113

Zohocorp ≫ Manageengine Opmanager Msp Version12.6 Updatebuild126117

Zohocorp ≫ Manageengine Opmanager Msp Version12.6 Updatebuild126119

Zohocorp ≫ Manageengine Opmanager Msp Version12.6 Updatebuild126122

Zohocorp ≫ Manageengine Opmanager Msp Version12.6 Updatebuild126139

Zohocorp ≫ Manageengine Opmanager Msp Version12.6 Updatebuild126140

Zohocorp ≫ Manageengine Opmanager Msp Version12.6 Updatebuild126141

Zohocorp ≫ Manageengine Opmanager Msp Version12.6 Updatebuild126154

Zohocorp ≫ Manageengine Opmanager Msp Version12.6 Updatebuild126155

Zohocorp ≫ Manageengine Opmanager Msp Version12.6 Updatebuild126264

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	2.02%	0.83

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
talos-cna@cisco.com	5.8	1.6	3.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

https://talosintelligence.com/vulnerability_reports/TALOS-2022-1685

Third Party Advisory

Exploit

https://www.manageengine.com/itom/advisory/cve-2022-43473.html

Patch

Vendor Advisory

https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1685

https://nvd.nist.gov/vuln/detail/CVE-2022-43473

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-43473

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-43473

EUVD