CVE-2022-31261

An XXE issue was discovered in Morpheus through 5.2.16 and 5.4.x through 5.4.4. A successful attack requires a SAML identity provider to be configured. In order to exploit the vulnerability, the attacker must know the unique SAML callback ID of the configured identity source. A remote attacker can send a request crafted with an XXE payload to invoke a malicious DTD hosted on a system that they control. This results in reading local files that the application has access to.

Published: May 24, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-31261
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N

CWEs:

CWE-611

OWASP TOP 10:

A4 - XML External Entities (XXE)

Affected Software
References

Software	From	Fixed in
morpheusdata / morpheus	5.4.0	5.4.4.x
morpheusdata / morpheus	-	5.2.16.x

https://docs.morpheusdata.com/en/5.4.4/release_notes/current.html
https://support.morpheusdata.com/s/?language=en_US

Vulnerability Database

CVE-2022-31261