CVE-2022-2458

Name of the Vulnerable Software and Affected Versions Business Central (affected versions not specified) Kie-Server APIs (affected versions not specified)

Description The issue allows an attacker to interfere with an application's processing of XML data through XML external entity injection (XXE). This occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser, causing the product to embed incorrect documents into its output. The XXE leads to External Service interaction and Internal file read.

Recommendations For Business Central, consider disabling the processing of external XML entities until a patch is available. For Kie-Server APIs, restrict access to XML documents that can contain external entities to minimize the risk of exploitation. As a temporary workaround, consider configuring the XML parser to only process XML entities within the intended sphere of control.