XML External Entity injection in TIBCO Managed File Transfer Command Center and TIBCO Managed File Transfer Internet Server
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2022-22774 |
| CWE-ID | CWE-611 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
TIBCO Managed File Transfer Command Center Server applications / Other server solutions TIBCO Managed File Transfer Internet Server Server applications / Other server solutions |
| Vendor | TIBCO |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) XML External Entity injection
EUVDB-ID: #VU63167
Risk: High
CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-22774
CWE-ID:
CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient validation of user-supplied XML input in the DOM XML parser and SAX XML parser. A remote attacker can pass a specially crafted XML code and update, insert or delete access to data on the affected system and associated resources.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTIBCO Managed File Transfer Command Center: 8.0.0 - 8.4.1
TIBCO Managed File Transfer Internet Server: 8.0.0 - 8.4.1
External linkshttp://www.tibco.com/services/support/advisories
http://www.tibco.com/support/advisories/2022/05/tibco-security-advisory-may-10-2022-tibco-mftcc-2022-22774
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
