LiveActive security incident?Get immediate response
CVE Record

CVE-2022-50899: Geonetwork 4.2.0 - XML External Entity (XXE)

Geonetwork 3.10 through 4.2.0 contains an XML external entity vulnerability in PDF rendering that allows attackers to retrieve arbitrary files from the server. Attackers can exploit the insecure XML parser by crafting a malicious XML document with external entity references to read system files through the baseURL parameter in PDF creation requests.

HighCVSS 8.7Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

GeoNetwork systems may let an unauthenticated attacker read files from the server through XML handling in PDF rendering. The main business risk is confidentiality loss, including configuration files or secrets. Public exploit material is referenced, but the provided sources do not show confirmed active exploitation.

Executive priority

Prioritize remediation for externally reachable GeoNetwork instances because this is a high-severity confidentiality issue with public exploit material. Internal-only instances still warrant planned remediation, especially if they can access secrets, credentials, or sensitive operational files.

Technical view

CVE-2022-50899 is a CWE-611 XXE flaw in GeoNetwork PDF creation/rendering. The supplied CVSS v4 vector is network reachable, low complexity, no privileges, no user interaction, with high confidentiality impact and no stated integrity or availability impact.

Likely exposure

Exposure is likely where GeoNetwork 3.10 through 4.2.0 is internet-accessible or reachable by untrusted users and PDF creation/rendering is enabled. The affected metadata is inconsistent: the description says 3.10 through 4.2.0, while the affected list names 3.10.

Exploitation context

The bundle includes an ExploitDB reference, so public exploit information exists. KEV is false, and no supplied source confirms active exploitation in the wild. Treat internet-facing instances as higher priority because the CVSS vector indicates unauthenticated network access.

Researcher notes

Evidence supports XXE in PDF rendering via insecure XML parsing and baseURL-related PDF creation behavior. Do not assume code execution, integrity impact, availability impact, or active exploitation from the supplied sources. Patch status is not provided in the bundle.

Mitigation direction

  • Inventory GeoNetwork deployments and confirm exact versions.
  • Check GeoNetwork and VulnCheck guidance for fixed versions or vendor-supported mitigations.
  • Upgrade when an official fixed release is identified by the vendor.
  • Restrict access to PDF creation/rendering from untrusted networks where feasible.
  • Limit server file permissions to reduce sensitive file exposure.

Validation and detection

  • Confirm whether deployed versions fall within 3.10 through 4.2.0.
  • Determine whether PDF rendering or creation requests are enabled and reachable.
  • Review web access logs for unusual PDF creation requests.
  • Check for unexpected reads or exposure of sensitive local files.
  • Document any version evidence and compensating controls.
Prepared
Confidence
medium
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-611: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2022-50899 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
8.7 (4.0)
Known Exploited
No
Published

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

2CVSS vectors
3Timeline events
1ADP providers
4Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: yesTechnical Impact: partial

CVSS vector scores

2 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
8.7CVSS 4.0HighCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:NVulnCheck
6.5CVSS 3.1MediumCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N2.83.6VulnCheck

Vulnerability scoring details

Base CVSS 4.0 score

8.7High
CVSS 4.0 vector shape for CVE-2022-50899Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
GeoNetworkGeoNetwork3.10Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-611 · source CWE mapping

Improper Restriction of XML External Entity Reference

Improper Restriction of XML External Entity Reference represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.