1. EXECUTIVE SUMMARY
- CVSS v4 8.7
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Hitachi Energy
- Equipment: Asset Suite
- Vulnerabilities: Server-Side Request Forgery (SSRF), Deserialization of Untrusted Data, Cleartext Storage of Sensitive Information, Uncontrolled Resource Consumption, URL Redirection to Untrusted Site (‘Open Redirect’), Improper Authentication
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow attackers to trigger resource consumption or information disclosure through SSRF in Apache XML Graphics Batik, mount a Denial-Of-Service attack via poisoned data in logback, discover cleartext passwords in H2 Database Engine, fill up the file system in Apache CXF, perform open redirect or SSRF attacks through UriComponentsBuilder, and execute arbitrary code in Apache ActiveMQ.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Hitachi Energy reports that the following products are affected:
- Asset Suite: Versions 9.6.4.5 and prior
3.2 VULNERABILITY OVERVIEW
3.2.1 SERVER-SIDE REQUEST FORGERY (SSRF) CWE-918
Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik. This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure.
CVE-2022-44729 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H).
A CVSS v4 score has also been calculated for […]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: