Cyber Resilience

CVE-2022-42149

Critical

Published: 17 October 2022

Published
17 October 2022
Modified
14 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4284 97.6th percentile
Risk Priority 45 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-42149 is a critical-severity SSRF (CWE-918) vulnerability in Keking Kkfileview. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

kkFileView 4.0 contains a server-side request forgery vulnerability in the OnlinePreviewController.java component, tracked as CVE-2022-42149 and assigned CWE-918. The flaw received a CVSS 3.1 base score of 9.8, reflecting network-accessible attack vectors that require no authentication or user interaction.

An unauthenticated remote attacker can supply crafted input to the affected controller and coerce the application into issuing arbitrary requests to internal or external resources, potentially resulting in full compromise of confidentiality, integrity, and availability. The current and peak EPSS scores both stand at 0.4284, indicating sustained exploitation interest since disclosure without a pronounced upward trajectory from a low baseline.

EU & UK References

Vulnerability details

kkFileView 4.0 is vulnerable to Server-side request forgery (SSRF) via controller\OnlinePreviewController.java.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

keking
kkfileview
4.0.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-918

Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.

addresses: CWE-918

Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

addresses: CWE-918

Validates server-side URLs and resource references to block SSRF attempts.

addresses: CWE-918

Detects server-side request forgery through monitoring of unexpected outbound connections.

References