CVE-2022-35741
Published: 18 July 2022
Summary
CVE-2022-35741 is a critical-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Apache Cloudstack. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Apache CloudStack versions 4.5.0 and later include a SAML 2.0 Service Provider plugin that is vulnerable to XML external entity injection. The issue stems from the parsing of XML-based SAML 2.0 messages during authentication using standard libraries susceptible to CWE-611 flaws, and the plugin is disabled by default. Successful exploitation can result in arbitrary file disclosure, denial of service, or server-side request forgery against the management server.
An unauthenticated attacker can trigger the flaw only when the SAML plugin has been explicitly enabled. By supplying a crafted SAML response or request in the authentication flow, the attacker can force the CloudStack management server to process external entities, yielding the impacts noted above. The vulnerability carries a CVSS 3.1 score of 9.8 reflecting network-accessible attack complexity that is low and no user interaction required.
Advisories referenced in the Apache and OpenWall lists emphasize that the plugin must be enabled for any exploitation to occur, thereby highlighting the default-disabled state as a primary control. No further patch or configuration details are supplied in the source data.
The associated EPSS score has remained flat at its peak value of 0.3443 with no material upward trajectory observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-38614
Vulnerability details
Apache CloudStack version 4.5.0 and later has a SAML 2.0 authentication Service Provider plugin which is found to be vulnerable to XML external entity (XXE) injection. This plugin is not enabled by default and the attacker would require that this…
more
plugin be enabled to exploit the vulnerability. When the SAML 2.0 plugin is enabled in affected versions of Apache CloudStack could potentially allow the exploitation of XXE vulnerabilities. The SAML 2.0 messages constructed during the authentication flow in Apache CloudStack are XML-based and the XML data is parsed by various standard libraries that are now understood to be vulnerable to XXE injection attacks such as arbitrary file reading, possible denial of service, server-side request forgery (SSRF) on the CloudStack management server.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.