CVE-2023-22247

Source
https://cve.org/CVERecord?id=CVE-2023-22247
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-22247.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-22247
Aliases
Published
2023-03-27T00:00:00Z
Modified
2026-07-15T02:07:57.644214937Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Adobe Commerce XML Injection Arbitrary file system read
Details

Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An unauthenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction.

Database specific
{
    "cna_assigner": "adobe",
    "cwe_ids": [
        "CWE-91"
    ],
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "last_affected": "2.4.5-p1"
                },
                {
                    "last_affected": "2.4.4-p2"
                },
                {
                    "last_affected": "None"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/22xxx/CVE-2023-22247.json"
}
References

Affected packages

Git / github.com/magento/magento2

Affected ranges

Type
GIT
Repo
https://github.com/magento/magento2
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Introduced
Last affected
Database specific
{
    "source": [
        "CPE_RANGE",
        "CPE_STRING"
    ],
    "cpe": [
        "cpe:2.3:a:adobe:commerce:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:adobe:commerce:2.4.4:-:*:*:*:*:*:*",
        "cpe:2.3:a:adobe:magento_open_source:2.4.4:-:*:*:*:*:*:*",
        "cpe:2.3:a:adobe:commerce:2.4.4:p1:*:*:*:*:*:*",
        "cpe:2.3:a:adobe:magento_open_source:2.4.4:p1:*:*:*:*:*:*",
        "cpe:2.3:a:adobe:commerce:2.4.4:p2:*:*:*:*:*:*",
        "cpe:2.3:a:adobe:magento_open_source:2.4.4:p2:*:*:*:*:*:*",
        "cpe:2.3:a:adobe:commerce:2.4.5:-:*:*:*:*:*:*",
        "cpe:2.3:a:adobe:magento_open_source:2.4.5:-:*:*:*:*:*:*",
        "cpe:2.3:a:adobe:commerce:2.4.5:p1:*:*:*:*:*:*",
        "cpe:2.3:a:adobe:magento_open_source:2.4.5:p1:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.4.4"
        },
        {
            "introduced": "2.4.4-NA"
        },
        {
            "last_affected": "2.4.4-NA"
        },
        {
            "introduced": "2.4.4-p1"
        },
        {
            "last_affected": "2.4.4-p1"
        },
        {
            "introduced": "2.4.4-p2"
        },
        {
            "last_affected": "2.4.4-p2"
        },
        {
            "introduced": "2.4.5-NA"
        },
        {
            "last_affected": "2.4.5-NA"
        },
        {
            "introduced": "2.4.5-p1"
        },
        {
            "last_affected": "2.4.5-p1"
        }
    ]
}

Affected versions

0.*
0.1.0-alpha100
0.1.0-alpha101
0.1.0-alpha102
0.1.0-alpha103
0.1.0-alpha104
0.1.0-alpha105
0.1.0-alpha106
0.1.0-alpha107
0.1.0-alpha108
0.1.0-alpha89
0.1.0-alpha90
0.1.0-alpha91
0.1.0-alpha92
0.1.0-alpha93
0.1.0-alpha94
0.1.0-alpha95
0.1.0-alpha96
0.1.0-alpha97
0.1.0-alpha98
0.1.0-alpha99
0.42.0-beta1
0.42.0-beta3
0.74.0-beta1
2.*
2.0.0
2.0.0-rc
2.1.0
2.1.0-rc1
2.1.0-rc2
2.1.0-rc3
2.2.0-RC1.1
2.2.0-RC1.2
2.2.0-RC1.3
2.4.4-NA
2.4.4-p1
2.4.4-p2
2.4.5-NA
2.4.5-p1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-22247.json"