XML External Entity injection in TIBCO Managed File Transfer Command Center and TIBCO Managed File Transfer Internet Server



Published: 2022-05-13
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2022-22774
CWE-ID CWE-611
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
TIBCO Managed File Transfer Command Center
Server applications / Other server solutions

TIBCO Managed File Transfer Internet Server
Server applications / Other server solutions

Vendor TIBCO

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) XML External Entity injection

EUVDB-ID: #VU63167

Risk: High

CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-22774

CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to insufficient validation of user-supplied XML input in the DOM XML parser and SAX XML parser. A remote attacker can pass a specially crafted XML code and update, insert or delete access to data on the affected system and associated resources.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

TIBCO Managed File Transfer Command Center: 8.0.0 - 8.4.1

TIBCO Managed File Transfer Internet Server: 8.0.0 - 8.4.1


CPE2.3 External links

http://www.tibco.com/services/support/advisories
http://www.tibco.com/support/advisories/2022/05/tibco-security-advisory-may-10-2022-tibco-mftcc-2022-22774

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###