CVE-2022-31261

Name of the Vulnerable Software and Affected Versions Morpheus versions 5.2.0 through 5.2.16 Morpheus versions 5.4.0 through 5.4.4

Description An XXE issue was discovered that allows a remote attacker to read local files by sending a request crafted with an XXE payload to invoke a malicious DTD hosted on a system they control. This requires a SAML identity provider to be configured and the attacker to know the unique SAML callback ID of the configured identity source.

Recommendations For Morpheus versions 5.2.0 through 5.2.16, update to a version later than 5.2.16 to resolve the issue. For Morpheus versions 5.4.0 through 5.4.4, update to a version later than 5.4.4 to resolve the issue. As a temporary workaround, consider disabling the SAML identity provider configuration until a patch is available.