Miggo Logo

CVE-2022-31189: JSPUI's "Internal System Error" page prints exceptions and stack traces without sanitization

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.2694%
Published
8/6/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.dspace:dspace-jspuimaven>= 4.0, <= 6.36.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The analysis focused on the changes made to handle and display error information. The doGet method in InternalErrorServlet.java and the compiled servlet method (_jspService) for internal.jsp are identified as relevant due to their involvement in error handling and display.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t W**n *n "Int*rn*l Syst*m *rror" o**urs in t** JSPUI, t**n *ntir* *x**ption (in*lu*in* st**k tr***) is *v*il**l*. In*orm*tion in t*is st**ktr*** m*y ** us**ul to *n *tt**k*r in l*un**in* * mor* sop*isti**t** *tt**k. T*is vuln*r**ility only

Reasoning

T** *n*lysis *o*us** on t** ***n**s m*** to **n*l* *n* *ispl*y *rror in*orm*tion. T** `*o**t` m*t*o* in `Int*rn*l*rrorS*rvl*t.j*v*` *n* t** *ompil** s*rvl*t m*t*o* (`_jspS*rvi**`) *or `int*rn*l.jsp` *r* i**nti*i** *s r*l*v*nt *u* to t**ir involv*m*nt