CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2022-31261

An XXE issue was discovered in Morpheus through 5.2.16 and 5.4.x through 5.4.4. A successful attack requires a SAML identity provider to be configured. In order to exploit the vulnerability, the attacker must know the unique SAML callback ID of the configured identity source. A remote attacker can send a request crafted with an XXE payload to invoke a malicious DTD hosted on a system that they control. This results in reading local files that the application has access to.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.004

EPSS Ranking 57.3%

CVSS Severity

CVSS v3 Score 7.5

CVSS v2 Score 4.3

References

https://docs.morpheusdata.com/en/5.4.4/release_notes/current.html
https://support.morpheusdata.com/s/?language=en_US
https://docs.morpheusdata.com/en/5.4.4/release_notes/current.html
https://support.morpheusdata.com/s/?language=en_US

Products affected by CVE-2022-31261

Morpheusdata » Morpheus » Version: 5.2.16

cpe:2.3:a:morpheusdata:morpheus:5.2.16
Morpheusdata » Morpheus » Version: 5.4.0

cpe:2.3:a:morpheusdata:morpheus:5.4.0
Morpheusdata » Morpheus » Version: 5.4.4

cpe:2.3:a:morpheusdata:morpheus:5.4.4

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2022-31261

Products

Pricing

Contact Us