CVE-2021-22338

Name of the Vulnerable Software and Affected Versions eCNS280 versions V100R005C00 through V100R005C10

Description The issue is related to an XXE injection vulnerability. A module does not perform strict operations on the input XML message, allowing an attacker to send a specific message to exploit this vulnerability. This can lead to a denial of service of the module. The vulnerability is associated with incorrect restriction of XML links to external objects, which can be exploited by a remote attacker.

Recommendations For eCNS280 versions V100R005C00 and V100R005C10, consider disabling the module that processes XML messages until a patch is available to prevent exploitation. As a temporary workaround, restrict access to the module that handles XML input to minimize the risk of denial of service. Avoid using the vulnerable module until the issue is resolved with a proper fix. At the moment, there is no information about a newer version that contains a fix for this vulnerability.