We are reliable, trustworthy, and ready for challenges! Hire Us
CBRN-Analysis – External XML entity injection
- Home
- Advisories
- CBRN-Analysis – External XML entity injection
DATE
10.11.2022
Affected Vendor
Bruhn NewTech
Affected Product
CBRN-Analysis
Vulnerable version
21.0/A
Fixed version
22
CVSS
CVSS: 3.8 Low CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Recommendations
Update to CBRN-Analysis v.22 or newer.
Vulnerability details
The CBRN-Analysis is an off-the-shelf CBRN Defence Knowledge Management Software Application that provides Knowledge Management, Hazard Prediction, and Warning and Reporting (W&R) capability, supporting the planning and execution of operations.
The application makes use of an XML parser to process XML files. This xml parser is vulnerable to external XML entity injection or “XXE” attack.
As an example impact, a potential adversary can prepare a malicious “mws”. When this file is opened in the CBRN-Analysis by the victim user, the software will make a network request to a remote resource. That way, the adversary could receive an NTLMv2-SSP hash.
CVE
CVE-2022-45194
Credits
Dawid Czarnecki and Jerome Nokin from NATO Cyber Security Centre
Do you think the security of your data might be lacking? Let's find the best approach together.
Once you contact us, we will ask you about the project you want to secure.