CVE-2022-3338: 
McAfee ePolicy Orchestrator vulnerability analysis and mitigation

An External XML entity (XXE) vulnerability was discovered in McAfee ePolicy Orchestrator (ePO) prior to version 5.10 Update 14. The vulnerability was assigned CVE-2022-3338 and was disclosed on September 27, 2022. This security flaw affects the ePO software, which is a security management platform (CVE Details).

The vulnerability is classified as an XML External Entity (XXE) injection, identified as CWE-611. It received a CVSS v3.1 base score of 5.4 (Medium severity) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N. The vulnerability can be exploited by mimicking the Agent Handler call to ePO and passing carefully constructed XML files through the API (NVD).

If successfully exploited, this vulnerability could allow an unauthenticated remote attacker to trigger a Server Side Request Forgery (SSRF) attack. This could potentially lead to unauthorized access to internal resources and information disclosure (CVE Details).

Users are advised to upgrade to ePO version 5.10 Update 14 or later to address this vulnerability. The fix has been implemented in the updated version to prevent exploitation of the XXE vulnerability (Trellix Advisory).