CVE-2022-23170

SysAid - Okta SSO integration - was found vulnerable to XML External Entity Injection vulnerability. Any SysAid environment that uses the Okta SSO integration might be vulnerable. An unauthenticated attacker could exploit the XXE vulnerability by sending a malformed POST request to the identity provider endpoint. An attacker can extract the identity provider endpoint by decoding the SAMLRequest parameter's value and searching for the AssertionConsumerServiceURL parameter's value. It often allows an attacker to view files on the application server filesystem and interact with any back-end or external systems that the application can access. In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.

CVSS v3 5.9 MEDIUM
CVSS v2.0 6.8 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.7 / Impact : 3.7

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

6.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://www.gov.il/en/departments/faq/cve_advisories	Third Party Advisory
https://www.gov.il/en/departments/faq/cve_advisories	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:sysaid:okta_sso:*:*:*:*:*:*:*:*

History

21 Nov 2024, 06:48

Type	Values Removed	Values Added
CVSS	v2 : ~~6.8~~ v3 : ~~9.8~~	v2 : 6.8 v3 : 5.9
References	~~() https://www.gov.il/en/departments/faq/cve_advisories - Third Party Advisory~~	() https://www.gov.il/en/departments/faq/cve_advisories - Third Party Advisory

07 Jul 2022, 15:19

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 6.8 v3 : 9.8
CPE		cpe:2.3:a:sysaid:okta_sso::::::::
CWE		CWE-611
References	~~(MISC) https://www.gov.il/en/departments/faq/cve_advisories -~~	(MISC) https://www.gov.il/en/departments/faq/cve_advisories - Third Party Advisory

24 Jun 2022, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-06-24 15:15

Updated : 2024-11-21 06:48

NVD link : CVE-2022-23170

Mitre link : CVE-2022-23170

CVE.ORG link : CVE-2022-23170

JSON object : View

Products Affected

sysaid

okta_sso

CWE

CWE-611

Improper Restriction of XML External Entity Reference

{"id": "CVE-2022-23170", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "cna@cyber.gov.il", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.7, "exploitabilityScore": 1.7}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2022-06-24T15:15:10.200", "references": [{"url": "https://www.gov.il/en/departments/faq/cve_advisories", "tags": ["Third Party Advisory"], "source": "cna@cyber.gov.il"}, {"url": "https://www.gov.il/en/departments/faq/cve_advisories", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cna@cyber.gov.il", "description": [{"lang": "en", "value": "CWE-611"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "SysAid - Okta SSO integration - was found vulnerable to XML External Entity Injection vulnerability. Any SysAid environment that uses the Okta SSO integration might be vulnerable. An unauthenticated attacker could exploit the XXE vulnerability by sending a malformed POST request to the identity provider endpoint. An attacker can extract the identity provider endpoint by decoding the SAMLRequest parameter's value and searching for the AssertionConsumerServiceURL parameter's value. It often allows an attacker to view files on the application server filesystem and interact with any back-end or external systems that the application can access. In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks."}, {"lang": "es", "value": "SysAid - integraci\u00f3n de Okta SSO - se ha encontrado susceptible a una vulnerabilidad de tipo External Entity Injection. Cualquier entorno de SysAid que utilice la integraci\u00f3n de Okta SSO podr\u00eda ser vulnerable. Un atacante no autenticado podr\u00eda explotar la vulnerabilidad de tipo XXE mediante el env\u00edo de una petici\u00f3n POST malformada al endpoint del proveedor de identidad. Un atacante puede extraer el endpoint del proveedor de identidad al decodificar el valor del par\u00e1metro SAMLRequest y buscando el valor del par\u00e1metro AssertionConsumerServiceURL. A menudo permite a un atacante ver los archivos en el sistema de archivos del servidor de aplicaciones e interactuar con cualquier sistema back-end o externo al que la aplicaci\u00f3n pueda acceder. En algunas situaciones, un atacante puede escalar un ataque de tipo XXE para comprometer el servidor subyacente u otra infraestructura de back-end aprovechando la vulnerabilidad de tipo XXE para llevar a cabo ataques de tipo server-side request forgery (SSRF)"}], "lastModified": "2024-11-21T06:48:07.493", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sysaid:okta_sso:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0ACD0B25-C198-413D-A3CD-88FD5EA415AF", "versionEndIncluding": "22.1.63", "versionStartIncluding": "22.1.49"}], "operator": "OR"}]}], "sourceIdentifier": "cna@cyber.gov.il"}

5.9 /10