CVE-2022-50899 Overview
GeoNetwork versions 3.10 through 4.2.0 contain an XML External Entity (XXE) vulnerability in the PDF rendering functionality. This vulnerability allows remote attackers to retrieve arbitrary files from the server by exploiting an insecure XML parser configuration. Attackers can craft malicious XML documents with external entity references to read sensitive system files through the baseURL parameter in PDF creation requests.
Critical Impact
Remote attackers can exploit this XXE vulnerability to access sensitive files from the server without authentication, potentially exposing configuration files, credentials, and other critical system data.
Affected Products
- GeoNetwork 3.10.x
- GeoNetwork 4.0.x
- GeoNetwork 4.1.x through 4.2.0
Discovery Timeline
- 2026-01-13 - CVE CVE-2022-50899 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2022-50899
Vulnerability Analysis
This vulnerability is classified as CWE-611 (Improper Restriction of XML External Entity Reference). The underlying issue stems from GeoNetwork's PDF rendering component failing to properly configure the XML parser to disable external entity processing. When a user requests PDF generation, the application processes XML input that includes a baseURL parameter. Because the XML parser does not restrict external entity references, an attacker can inject malicious Document Type Definition (DTD) declarations that reference external resources, including local files on the server.
The attack is network-accessible and requires no authentication or user interaction, making it particularly dangerous for internet-facing GeoNetwork deployments. Successful exploitation results in unauthorized disclosure of sensitive information stored on the server.
Root Cause
The root cause of this vulnerability is the improper configuration of the XML parser used in GeoNetwork's PDF rendering functionality. The parser fails to disable Document Type Definition (DTD) processing and external entity resolution. When XML input is parsed without these security controls, the parser will automatically attempt to resolve and include content from external URIs specified in entity declarations, including file:// URIs that can access local filesystem resources.
Attack Vector
The attack is conducted over the network by sending specially crafted HTTP requests to GeoNetwork's PDF generation endpoint. The attacker constructs a malicious XML payload containing an external entity declaration that references a target file (such as /etc/passwd on Linux systems or sensitive configuration files). When the server processes this request to generate a PDF, the XML parser resolves the external entity and includes the contents of the referenced file in the output, which is then returned to the attacker.
The vulnerability is exploited through the baseURL parameter in PDF creation requests, where the malicious XML payload with external entity references is injected. Technical details and a proof-of-concept exploit are available at Exploit-DB #50982.
Detection Methods for CVE-2022-50899
Indicators of Compromise
- HTTP requests to PDF generation endpoints containing suspicious XML payloads with DTD declarations
- Requests with <!ENTITY declarations referencing file://, http://, or other protocol handlers
- Unusual access patterns to PDF rendering functionality from external IP addresses
- Log entries showing attempts to access sensitive file paths through the application
Detection Strategies
- Monitor web application logs for requests containing XML external entity patterns such as <!DOCTYPE, <!ENTITY, and SYSTEM declarations
- Implement Web Application Firewall (WAF) rules to detect and block XXE payload signatures in request parameters
- Configure intrusion detection systems to alert on attempts to access sensitive system files through web requests
- Review application logs for PDF generation requests with abnormal baseURL parameter values
Monitoring Recommendations
- Enable detailed logging for GeoNetwork's PDF generation functionality to capture request parameters
- Monitor network traffic for data exfiltration patterns, particularly large responses from PDF endpoints
- Implement file integrity monitoring on sensitive configuration files to detect unauthorized access attempts
- Establish baseline metrics for PDF generation requests and alert on anomalous activity
How to Mitigate CVE-2022-50899
Immediate Actions Required
- Upgrade GeoNetwork to a version newer than 4.2.0 that includes the security fix for this vulnerability
- If immediate upgrade is not possible, restrict access to PDF generation functionality to trusted users only
- Implement network segmentation to limit the exposure of GeoNetwork instances to the internet
- Apply Web Application Firewall rules to filter requests containing XXE attack patterns
Patch Information
Organizations should update to the latest available version of GeoNetwork that addresses this XXE vulnerability. For detailed information about the affected versions and available patches, refer to the GeoNetwork Open Source Project and the VulnCheck Advisory on GeoNetwork XXE.
Workarounds
- Disable or restrict access to the PDF rendering functionality if it is not required for business operations
- Implement a reverse proxy or WAF to filter incoming requests and block XML payloads containing external entity declarations
- Configure network-level access controls to limit which systems can reach the GeoNetwork application
- If possible, configure the underlying XML parser to disable DTD processing and external entity resolution at the application server level
# Example WAF rule to block XXE patterns (ModSecurity)
SecRule REQUEST_BODY "@rx <!ENTITY\s+\S+\s+SYSTEM" \
"id:1001,phase:2,deny,status:403,msg:'XXE Attack Detected'"
# Restrict access to PDF endpoints at the web server level (nginx example)
location /geonetwork/srv/eng/pdf {
allow 192.168.1.0/24;
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
