Vulnerability Name:

CVE-2022-3338 (CCN-238477)

Assigned:2022-10-11
Published:2022-10-11
Updated:2022-10-20
Summary:An External XML entity (XXE) vulnerability in ePO prior to 5.10 Update 14 can lead to an unauthenticated remote attacker to potentially trigger a Server Side Request Forgery attack. This can be exploited by mimicking the Agent Handler call to ePO and passing the carefully constructed XML file through the API.
CVSS v3 Severity:5.4 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N)
4.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
5.4 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N)
4.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-611
Vulnerability Consequences:Data Manipulation
References:Source: MITRE
Type: CNA
CVE-2022-3338

Source: XF
Type: UNKNOWN
epo-cve20223338-xxe(238477)

Source: CONFIRM
Type: Third Party Advisory
https://kcm.trellix.com/corporate/index?page=content&id=SB10387

Source: CCN
Type: Trellix Security Bulletin ID: SB10387
Security Bulletin - ePolicy Orchestrator update addresses two product vulnerabilities (CVE-2022-3338, CVE-2022-3339) and updates Java, Apache HTTP Server, and OpenSSL

Vulnerable Configuration:Configuration 1:
  • cpe:/a:mcafee:epolicy_orchestrator:5.10.0:update_1:*:*:*:*:*:*
  • OR cpe:/a:mcafee:epolicy_orchestrator:5.10.0:update_2:*:*:*:*:*:*
  • OR cpe:/a:mcafee:epolicy_orchestrator:5.10.0:update_3:*:*:*:*:*:*
  • OR cpe:/a:mcafee:epolicy_orchestrator:5.10.0:update_4:*:*:*:*:*:*
  • OR cpe:/a:mcafee:epolicy_orchestrator:5.10.0:update_5:*:*:*:*:*:*
  • OR cpe:/a:mcafee:epolicy_orchestrator:5.10.0:update_6:*:*:*:*:*:*
  • OR cpe:/a:mcafee:epolicy_orchestrator:5.10.0:-:*:*:*:*:*:*
  • OR cpe:/a:mcafee:epolicy_orchestrator:*:*:*:*:*:*:*:* (Version < 5.10.0)
  • OR cpe:/a:mcafee:epolicy_orchestrator:5.10.0:update_7:*:*:*:*:*:*
  • OR cpe:/a:mcafee:epolicy_orchestrator:5.10.0:update_10:*:*:*:*:*:*
  • OR cpe:/a:mcafee:epolicy_orchestrator:5.10.0:update_11:*:*:*:*:*:*
  • OR cpe:/a:mcafee:epolicy_orchestrator:5.10.0:update_12:*:*:*:*:*:*
  • OR cpe:/a:mcafee:epolicy_orchestrator:5.10.0:update_13:*:*:*:*:*:*
  • OR cpe:/a:mcafee:epolicy_orchestrator:5.10.0:update_8:*:*:*:*:*:*
  • OR cpe:/a:mcafee:epolicy_orchestrator:5.10.0:update_9:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:mcafee:epolicy_orchestrator:5.10.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    mcafee epolicy orchestrator 5.10.0 update_1
    mcafee epolicy orchestrator 5.10.0 update_2
    mcafee epolicy orchestrator 5.10.0 update_3
    mcafee epolicy orchestrator 5.10.0 update_4
    mcafee epolicy orchestrator 5.10.0 update_5
    mcafee epolicy orchestrator 5.10.0 update_6
    mcafee epolicy orchestrator 5.10.0 -
    mcafee epolicy orchestrator *
    mcafee epolicy orchestrator 5.10.0 update_7
    mcafee epolicy orchestrator 5.10.0 update_10
    mcafee epolicy orchestrator 5.10.0 update_11
    mcafee epolicy orchestrator 5.10.0 update_12
    mcafee epolicy orchestrator 5.10.0 update_13
    mcafee epolicy orchestrator 5.10.0 update_8
    mcafee epolicy orchestrator 5.10.0 update_9
    mcafee epolicy orchestrator 5.10.0