CVE-2022-23170 Vulnerability Details

  /     /     /  

CVE-2022-23170 Metadata Quick Info

CVE Published: 24/06/2022 | CVE Updated: 16/09/2024 | CVE Year: 2022
Source: INCD | Vendor: Sysaid | Product: SysAid - Okta SSO integration
Status : PUBLISHED

---

CVE-2022-23170 Description

SysAid - Okta SSO integration - was found vulnerable to XML External Entity Injection vulnerability. Any SysAid environment that uses the Okta SSO integration might be vulnerable. An unauthenticated attacker could exploit the XXE vulnerability by sending a malformed POST request to the identity provider endpoint. An attacker can extract the identity provider endpoint by decoding the SAMLRequest parameter\'s value and searching for the AssertionConsumerServiceURL parameter\'s value. It often allows an attacker to view files on the application server filesystem and interact with any back-end or external systems that the application can access. In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.

Metrics

CVSS Version: 3.1 | Base Score: 5.9 MEDIUM
Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

l➤ Exploitability Metrics:
    Attack Vector (AV)* ADJACENT_NETWORK
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* LOW
    User Interaction (UI)* REQUIRED
    Scope (S)* CHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* LOW
    Integrity Impact (I)* LOW
    Availability Impact (A)* LOW

Weakness Enumeration (CWE)

CWE-ID: CWE-611
CWE Name: CWE-611 Improper Restriction of XML External Entity Reference ( XXE )
Source: Sysaid

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).