CVE-2022-50899: Geonetwork 4.2.0 - XML External Entity (XXE)
Geonetwork 3.10 through 4.2.0 contains an XML external entity vulnerability in PDF rendering that allows attackers to retrieve arbitrary files from the server. Attackers can exploit the insecure XML parser by crafting a malicious XML document with external entity references to read system files through the baseURL parameter in PDF creation requests.
Security readout for executives and security teams
Plain-English summary
GeoNetwork systems may let an unauthenticated attacker read files from the server through XML handling in PDF rendering. The main business risk is confidentiality loss, including configuration files or secrets. Public exploit material is referenced, but the provided sources do not show confirmed active exploitation.
Executive priority
Prioritize remediation for externally reachable GeoNetwork instances because this is a high-severity confidentiality issue with public exploit material. Internal-only instances still warrant planned remediation, especially if they can access secrets, credentials, or sensitive operational files.
Technical view
CVE-2022-50899 is a CWE-611 XXE flaw in GeoNetwork PDF creation/rendering. The supplied CVSS v4 vector is network reachable, low complexity, no privileges, no user interaction, with high confidentiality impact and no stated integrity or availability impact.
Likely exposure
Exposure is likely where GeoNetwork 3.10 through 4.2.0 is internet-accessible or reachable by untrusted users and PDF creation/rendering is enabled. The affected metadata is inconsistent: the description says 3.10 through 4.2.0, while the affected list names 3.10.
Exploitation context
The bundle includes an ExploitDB reference, so public exploit information exists. KEV is false, and no supplied source confirms active exploitation in the wild. Treat internet-facing instances as higher priority because the CVSS vector indicates unauthenticated network access.
Researcher notes
Evidence supports XXE in PDF rendering via insecure XML parsing and baseURL-related PDF creation behavior. Do not assume code execution, integrity impact, availability impact, or active exploitation from the supplied sources. Patch status is not provided in the bundle.
Mitigation direction
Inventory GeoNetwork deployments and confirm exact versions.
Check GeoNetwork and VulnCheck guidance for fixed versions or vendor-supported mitigations.
Upgrade when an official fixed release is identified by the vendor.
Restrict access to PDF creation/rendering from untrusted networks where feasible.
Limit server file permissions to reduce sensitive file exposure.
Validation and detection
Confirm whether deployed versions fall within 3.10 through 4.2.0.
Determine whether PDF rendering or creation requests are enabled and reachable.
Review web access logs for unusual PDF creation requests.
Check for unexpected reads or exposure of sensitive local files.
Document any version evidence and compensating controls.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-611: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-611 · source CWE mapping
Improper Restriction of XML External Entity Reference
Improper Restriction of XML External Entity Reference represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.