CVE-2022-34269

An issue was discovered in RWS WorldServer before 11.7.3. An authenticated, remote attacker can perform a ws-legacy/load_dtd?system_id= blind SSRF attack to deploy JSP code to the Apache Axis service running on the localhost interface, leading to command execution.
SSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 88%
VendorProductVersion
rwsworldserver
𝑥
< 11.7.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.rws.com/localization/products/trados-enterprise/worldserver/
https://www.triskelelabs.com/vulnerabilities-in-rws-worldserver
https://www.rws.com/localization/products/trados-enterprise/worldserver/
https://www.triskelelabs.com/vulnerabilities-in-rws-worldserver