CVE-2022-3338

Name of the Vulnerable Software and Affected Versions McAfee ePO versions prior to 5.10 Update 14

Description The issue allows an unauthenticated remote attacker to potentially trigger a Server Side Request Forgery attack by exploiting an External XML entity (XXE) vulnerability. This can be done by mimicking the Agent Handler call to ePO and passing a carefully constructed XML file through the API.

Recommendations For versions prior to 5.10 Update 14, update to version 5.10 Update 14 or later to resolve the issue. As a temporary workaround, consider restricting access to the API endpoint to minimize the risk of exploitation.