CVE-2022-31261
HIGHMorpheus < 5.2.16 and 5.4.x through 5.4.4 - XML External Entity Injection via SAML Callback
Title source: llmDescription
An XXE issue was discovered in Morpheus through 5.2.16 and 5.4.x through 5.4.4. A successful attack requires a SAML identity provider to be configured. In order to exploit the vulnerability, the attacker must know the unique SAML callback ID of the configured identity source. A remote attacker can send a request crafted with an XXE payload to invoke a malicious DTD hosted on a system that they control. This results in reading local files that the application has access to.
References (2)
Core 2
Core References
Not Applicable, Vendor Advisory x_refsource_misc
https://support.morpheusdata.com/s/?language=en_US
Release Notes, Vendor Advisory x_refsource_misc
https://docs.morpheusdata.com/en/5.4.4/release_notes/current.html
Scores
CVSS v3
7.5
EPSS
0.0109
EPSS Percentile
61.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-611
Status
published
Products (1)
morpheusdata/morpheus
< 5.2.16
Published
May 24, 2022
Tracked Since
Feb 18, 2026