CVE-2022-32533 - OpenCVE

Apache Jetspeed-2 does not sufficiently filter untrusted user input by default leading to a number of issues including XSS, CSRF, XXE, and SSRF. Setting the configuration option "xss.filter.post = true" may mitigate these issues. NOTE: Apache Jetspeed is a dormant project of Apache Portals and no updates will be provided for this issue

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Jetspeed

Configuration 1 [-]

cpe:2.3:a:apache:jetspeed:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2022/07/06/1	Mailing List Third Party Advisory
https://lists.apache.org/thread/d3g248pr03x8rvmh8p2t3xdlw0wn5dz2	Mailing List Vendor Advisory
https://www.openwall.com/lists/oss-security/2022/07/06/1	Mailing List Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2022-07-06T09:40:12

Updated: 2022-07-06T11:06:11

Reserved: 2022-06-07T00:00:00

Link: CVE-2022-32533

JSON object: View

NVD Information

Status : Modified

Published: 2022-07-06T10:15:09.943

Modified: 2024-05-17T02:10:02.090

Link: CVE-2022-32533

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Apache Portals", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "Jetspeed 2.3.1"}]}], "credits": [{"lang": "en", "value": "Thanks to RunningSnail for reporting."}], "descriptions": [{"lang": "en", "value": "Apache Jetspeed-2 does not sufficiently filter untrusted user input by default leading to a number of issues including XSS, CSRF, XXE, and SSRF. Setting the configuration option \"xss.filter.post = true\" may mitigate these issues. NOTE: Apache Jetspeed is a dormant project of Apache Portals and no updates will be provided for this issue"}], "metrics": [{"other": {"content": {"other": "moderate"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Cross-Site Scripting (XSS); CWE-352: Cross-Site Request Forgery (CSRF); CWE-918: Server-Side Request Forgery (SSRF); CWE-611: XML eXternal Entities (XXE)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-06T11:06:11", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread/d3g248pr03x8rvmh8p2t3xdlw0wn5dz2"}, {"tags": ["x_refsource_MISC"], "url": "https://www.openwall.com/lists/oss-security/2022/07/06/1"}, {"name": "[oss-security] 20220706 CVE-2022-32533: Apache Portals Jetspeed XSS, CSRF, SSRF, and XXE issues", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2022/07/06/1"}], "source": {"discovery": "UNKNOWN"}, "tags": ["unsupported-when-assigned"], "title": "Apache Portals Jetspeed XSS, CSRF, SSRF, and XXE issues", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2022-32533", "STATE": "PUBLIC", "TITLE": "Apache Portals Jetspeed XSS, CSRF, SSRF, and XXE issues"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Portals", "version": {"version_data": [{"version_affected": "=", "version_name": "Jetspeed", "version_value": "2.3.1"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "Thanks to RunningSnail for reporting."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "** UNSUPPORTED WHEN ASSIGNED ** Apache Jetspeed-2 does not sufficiently filter untrusted user input by default leading to a number of issues including XSS, CSRF, XXE, and SSRF. Setting the configuration option \"xss.filter.post = true\" may mitigate these issues. NOTE: Apache Jetspeed is a dormant project of Apache Portals and no updates will be provided for this issue."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "moderate"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Cross-Site Scripting (XSS); CWE-352: Cross-Site Request Forgery (CSRF); CWE-918: Server-Side Request Forgery (SSRF); CWE-611: XML eXternal Entities (XXE)"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread/d3g248pr03x8rvmh8p2t3xdlw0wn5dz2", "refsource": "MISC", "url": "https://lists.apache.org/thread/d3g248pr03x8rvmh8p2t3xdlw0wn5dz2"}, {"name": "https://www.openwall.com/lists/oss-security/2022/07/06/1", "refsource": "MISC", "url": "https://www.openwall.com/lists/oss-security/2022/07/06/1"}, {"name": "[oss-security] 20220706 CVE-2022-32533: Apache Portals Jetspeed XSS, CSRF, SSRF, and XXE issues", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/07/06/1"}]}, "source": {"discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-32533", "datePublished": "2022-07-06T09:40:12", "dateReserved": "2022-06-07T00:00:00", "dateUpdated": "2022-07-06T11:06:11", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:jetspeed:*:*:*:*:*:*:*:*", "matchCriteriaId": "D926FB46-D037-44CC-8A01-F54C4DEE5EE7", "versionStartIncluding": "2.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Apache Jetspeed-2 does not sufficiently filter untrusted user input by default leading to a number of issues including XSS, CSRF, XXE, and SSRF. Setting the configuration option \"xss.filter.post = true\" may mitigate these issues. NOTE: Apache Jetspeed is a dormant project of Apache Portals and no updates will be provided for this issue"}, {"lang": "es", "value": "** NO SOPORTADO CUANDO SE ASIGN\u00d3 ** Apache Jetspeed-2 no filtra suficientemente la entrada del usuario no confiable por defecto, lo que conlleva a una serie de problemas como XSS, CSRF, XXE y SSRF. Establecer la opci\u00f3n de configuraci\u00f3n \"xss.filter.post = true\" puede mitigar estos problemas. NOTA: Apache Jetspeed es un proyecto inactivo de Apache Portals y no ser\u00e1n proporcionadas actualizaciones para este problema"}], "id": "CVE-2022-32533", "lastModified": "2024-05-17T02:10:02.090", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-06T10:15:09.943", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/07/06/1"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/d3g248pr03x8rvmh8p2t3xdlw0wn5dz2"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2022/07/06/1"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@apache.org", "type": "Secondary"}]}