CVE-2022-50899

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-50899

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50899.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-50899

Published

2026-01-13T23:15:52.007Z

Modified

2026-04-10T04:53:47.399241Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Geonetwork 3.10 through 4.2.0 contains an XML external entity vulnerability in PDF rendering that allows attackers to retrieve arbitrary files from the server. Attackers can exploit the insecure XML parser by crafting a malicious XML document with external entity references to read system files through the baseURL parameter in PDF creation requests.

References

Affected packages

Git / github.com/geonetwork/core-geonetwork

Affected ranges

Type

GIT

Repo

https://github.com/geonetwork/core-geonetwork

Events

Introduced

42bf1bb21e371007189ca90c9e2ff89efdb7af69

Last affected

bdc0a9c92ef52718f7582bfa87149d1b93e02c0b

Database specific

{
    "versions": [
        {
            "introduced": "3.10.0"
        },
        {
            "last_affected": "4.2.0"
        }
    ]
}

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50899.json"