CVE-2022-45064 — Apache Sling Engine vulnerable to cross-site scripting (XSS) that can lead to pr

Description

The SlingRequestDispatcher doesn't correctly implement the RequestDispatcher API resulting in a generic type of include-based cross-site scripting issues on the Apache Sling level. The vulnerability is exploitable by an attacker that is able to include a resource with specific content-type and control the include path (i.e. writing content). The impact of a successful attack is privilege escalation to administrative power. Please update to Apache Sling Engine version 2.14.0 or newer and enable the "Check Content-Type overrides" configuration option.

How to fix CVE-2022-45064

To remediate CVE-2022-45064, upgrade the affected package to a fixed version below.

—upgrade to 2.14.0 or later

Is CVE-2022-45064 being exploited?

Moderate — EPSS is 5.1%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 2.14.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.0	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-45064
PATCHgithub.com/apache/sling-org-apache-sling-engine
WEBlists.apache.org/thread/hhp611hltby3whk03vx2mv7cmy3vs0ok
WEBwww.openwall.com/lists/oss-security/2023/04/18/6