CVE-2022-3338

An External XML entity (XXE) vulnerability in ePO prior to 5.10 Update 14 can lead to an unauthenticated remote attacker to potentially trigger a Server Side Request Forgery attack. This can be exploited by mimicking the Agent Handler call to ePO and passing the carefully constructed XML file through the API.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.4 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
trellixCNA
5.4 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 28%
VendorProductVersion
mcafeeepolicy_orchestrator
𝑥
< 5.10.0
mcafeeepolicy_orchestrator
5.10.0
mcafeeepolicy_orchestrator
5.10.0:update_1
mcafeeepolicy_orchestrator
5.10.0:update_10
mcafeeepolicy_orchestrator
5.10.0:update_11
mcafeeepolicy_orchestrator
5.10.0:update_12
mcafeeepolicy_orchestrator
5.10.0:update_13
mcafeeepolicy_orchestrator
5.10.0:update_2
mcafeeepolicy_orchestrator
5.10.0:update_3
mcafeeepolicy_orchestrator
5.10.0:update_4
mcafeeepolicy_orchestrator
5.10.0:update_5
mcafeeepolicy_orchestrator
5.10.0:update_6
mcafeeepolicy_orchestrator
5.10.0:update_7
mcafeeepolicy_orchestrator
5.10.0:update_8
mcafeeepolicy_orchestrator
5.10.0:update_9
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://kcm.trellix.com/corporate/index?page=content&id=SB10387
https://kcm.trellix.com/corporate/index?page=content&id=SB10387