CVE-2022-36969

Name of the Vulnerable Software and Affected Versions AVEVA Edge versions 2020 SP2 Patch 0(4201.2111.1802.0000)

Description The issue is related to the improper restriction of XML External Entity (XXE) references in the LoadImportedLibraries method, allowing remote attackers to disclose sensitive information. This can be achieved by crafting a document that specifies a URI, causing the XML parser to access the URI and embed its contents back into the XML document. An attacker can leverage this to disclose information in the context of the current process, but user interaction is required, such as visiting a malicious page or opening a malicious file.

Recommendations For AVEVA Edge version 2020 SP2 Patch 0(4201.2111.1802.0000), consider disabling the LoadImportedLibraries method as a temporary workaround until a patch is available. Restrict access to the XML External Entity references to minimize the risk of exploitation. Avoid using crafted documents that specify malicious URIs in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.