CVE-2022-45064
CVSS V2 None
CVSS V3 None
Description
The SlingRequestDispatcher doesn't correctly implement the RequestDispatcher API resulting in a generic type of include-based cross-site scripting issues on the Apache Sling level. The vulnerability is exploitable by an attacker that is able to include a resource with specific content-type and control the include path (i.e. writing content). The impact of a successful attack is privilege escalation to administrative power.
Please update to Apache Sling Engine >= 2.14.0 and enable the "Check Content-Type overrides" configuration option.
Overview
- CVE ID
- CVE-2022-45064
- Assigner
- security@apache.org
- Vulnerability Status
- Analyzed
- Published Version
- 2023-04-13T11:15:06
- Last Modified Date
- 2023-04-26T14:17:21
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:apache:sling:*:*:*:*:*:*:*:* | 1 | OR | 2.14.0 |
References
| Reference URL | Reference Tags |
|---|---|
| http://www.openwall.com/lists/oss-security/2023/04/18/6 | |
| https://lists.apache.org/thread/hhp611hltby3whk03vx2mv7cmy3vs0ok |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2022-45064 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45064 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2023-04-17 04:40:56 | Added to TrackCVE | |||
| 2023-04-17 04:40:58 | Weakness Enumeration | new | ||
| 2023-04-18 04:00:32 | 2023-04-18T03:15:07 | CVE Modified Date | updated | |
| 2023-04-18 04:00:35 | References | updated | ||
| 2023-04-18 20:01:00 | Awaiting Analysis | Undergoing Analysis | Vulnerability Status | updated |
| 2023-04-26 15:00:51 | 2023-04-26T14:17:21 | CVE Modified Date | updated | |
| 2023-04-26 15:00:51 | Undergoing Analysis | Analyzed | Vulnerability Status | updated |
| 2023-04-26 15:00:55 | CPE Information | updated |