Apache Sling Engine: Include-based XSS
CVE-2022-45064

9CRITICAL

Key Information:

Vendor: Apache
Status: Apache Sling Engine
Vendor: CVE Published:; 13 April 2023

What is CVE-2022-45064?

A notable vulnerability exists in the Apache Sling Engine where the SlingRequestDispatcher fails to correctly implement the RequestDispatcher API. This flaw creates opportunities for a generic type of include-based cross-site scripting attacks at the Apache Sling level. Attackers can exploit this vulnerability by including a resource with specific content-types and controlling the include path. This unauthorized access can lead to serious consequences, such as privilege escalation to administrative roles. To mitigate this risk, it is crucial to update to Apache Sling Engine version 2.14.0 or later and to enable the 'Check Content-Type overrides' configuration option.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Apache Sling Engine < 2.14.0

References

https://lists.apache.org/thread/hhp611hltby3whk03vx2mv7cm...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/04/18/6

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Apr 13, 2023
Vulnerability Reserved
Nov 9, 2022

Credit

Lars Krapf

JSON

Apache

What is CVE-2022-45064?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.