CVE-2022-50899

Name of the Vulnerable Software and Affected Versions Geonetwork versions 3.10 through 4.2.0

Description Geonetwork contains a flaw in its PDF rendering process related to XML external entities. This allows attackers to retrieve arbitrary files from the server. The issue stems from an insecure XML parser that can be exploited by crafting malicious XML documents with external entity references. Specifically, attackers can read system files through the baseURL parameter when making PDF creation requests.

Recommendations Versions prior to 4.2.1 should be updated.