CVE-2022-2838

EUVD-2022-35072
In Eclipse Sphinxâ„¢ before version 0.13.1, Apache Xerces XML Parser was used without disabling processing of referenced external entities allowing the injection of arbitrary definitions which is able to access local files and expose their contents via HTTP requests.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 42%
Affected Products (NVD)
VendorProductVersion
eclipsesphinx
0.7.0 ≤
𝑥
< 0.13.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://bugs.eclipse.org/580542
https://bugs.eclipse.org/580542