diff --git a/CVE-2022-2414.patch b/CVE-2022-2414.patch
new file mode 100644
index 0000000..1959f6d
--- /dev/null
+++ b/CVE-2022-2414.patch
@@ -0,0 +1,144 @@
+From 1fe34b30ed12710f6ea4c2fae4686f36dd4ef705 Mon Sep 17 00:00:00 2001
+From: Chris Kelley <ckelley@redhat.com>
+Date: Fri, 10 Jun 2022 17:25:07 +0100
+Subject: [PATCH] Disable access to external entities when parsing XML
+
+Origin: https://github.com/dogtagpki/pki/commit/1fe34b30ed12710f6ea4c2fae4686f36dd4ef705
+
+This reduces the vulnerability of XML parsers to XXE (XML external
+entity) injection.
+
+The best way to prevent XXE is to stop using XML altogether, which we do
+plan to do. Until that happens I consider it worthwhile to tighten the
+security here though.
+---
+ .../cms/servlet/csadmin/SecurityDomainProcessor.java     | 6 +++++-
+ .../cmscore/src/com/netscape/cmscore/apps/ServerXml.java | 1 +
+ base/test/src/com/netscape/test/TestListener.java        | 5 ++++-
+ base/util/src/com/netscape/cmsutil/xml/XMLObject.java    | 9 +++++++++
+ 4 files changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
+index 2090fec357a..6931fa5c5f5 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
+@@ -24,6 +24,7 @@
+ import java.util.Locale;
+ import java.util.Vector;
+ 
++import javax.xml.XMLConstants;
+ import javax.xml.parsers.ParserConfigurationException;
+ import javax.xml.transform.OutputKeys;
+ import javax.xml.transform.Transformer;
+@@ -640,7 +641,10 @@ public static void main(String args[]) throws Exception {
+         XMLObject xmlObject = convertDomainInfoToXMLObject(before);
+         Document document = xmlObject.getDocument();
+ 
+-        Transformer transformer = TransformerFactory.newInstance().newTransformer();
++        TransformerFactory transformerFactory = TransformerFactory.newInstance();
++        transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
++        transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
++        Transformer transformer = transformerFactory.newTransformer();
+         transformer.setOutputProperty(OutputKeys.INDENT, "yes");
+         transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
+ 
+diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/ServerXml.java b/base/server/cmscore/src/com/netscape/cmscore/apps/ServerXml.java
+index 59a06ba39ba..2886291af2d 100644
+--- a/base/server/cmscore/src/com/netscape/cmscore/apps/ServerXml.java
++++ b/base/server/cmscore/src/com/netscape/cmscore/apps/ServerXml.java
+@@ -40,6 +40,7 @@ public static ServerXml load(String filename) throws Exception {
+         ServerXml serverXml = new ServerXml();
+ 
+         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
++        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+         DocumentBuilder builder = factory.newDocumentBuilder();
+         Document document = builder.parse(filename);
+ 
+diff --git a/base/test/src/com/netscape/test/TestListener.java b/base/test/src/com/netscape/test/TestListener.java
+index 96c4c906892..d55458716fe 100644
+--- a/base/test/src/com/netscape/test/TestListener.java
++++ b/base/test/src/com/netscape/test/TestListener.java
+@@ -10,6 +10,7 @@
+ import java.util.Date;
+ import java.util.TimeZone;
+ 
++import javax.xml.XMLConstants;
+ import javax.xml.parsers.DocumentBuilder;
+ import javax.xml.parsers.DocumentBuilderFactory;
+ import javax.xml.transform.OutputKeys;
+@@ -22,7 +23,6 @@
+ import org.junit.runner.Result;
+ import org.junit.runner.notification.Failure;
+ import org.junit.runner.notification.RunListener;
+-
+ import org.w3c.dom.Document;
+ import org.w3c.dom.Element;
+ import org.w3c.dom.Text;
+@@ -64,9 +64,12 @@ public TestListener() throws Exception {
+         dateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
+ 
+         docBuilderFactory = DocumentBuilderFactory.newInstance();
++        docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+         docBuilder = docBuilderFactory.newDocumentBuilder();
+ 
+         transFactory = TransformerFactory.newInstance();
++        transFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
++        transFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+         trans = transFactory.newTransformer();
+         trans.setOutputProperty(OutputKeys.INDENT, "yes");
+ 
+diff --git a/base/util/src/com/netscape/cmsutil/xml/XMLObject.java b/base/util/src/com/netscape/cmsutil/xml/XMLObject.java
+index a7715ec9908..d8e0f413325 100644
+--- a/base/util/src/com/netscape/cmsutil/xml/XMLObject.java
++++ b/base/util/src/com/netscape/cmsutil/xml/XMLObject.java
+@@ -25,6 +25,7 @@
+ import java.io.StringWriter;
+ import java.util.Vector;
+ 
++import javax.xml.XMLConstants;
+ import javax.xml.parsers.DocumentBuilder;
+ import javax.xml.parsers.DocumentBuilderFactory;
+ import javax.xml.parsers.ParserConfigurationException;
+@@ -56,6 +57,7 @@ public XMLObject() throws ParserConfigurationException {
+     public XMLObject(InputStream s)
+             throws SAXException, IOException, ParserConfigurationException {
+         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
++        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+         DocumentBuilder docBuilder = factory.newDocumentBuilder();
+         mDoc = docBuilder.parse(s);
+     }
+@@ -63,6 +65,7 @@ public XMLObject(InputStream s)
+     public XMLObject(File f)
+             throws SAXException, IOException, ParserConfigurationException {
+         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
++        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+         DocumentBuilder docBuilder = factory.newDocumentBuilder();
+         mDoc = docBuilder.parse(f);
+     }
+@@ -159,6 +162,8 @@ public Vector<String> getValuesFromContainer(Node container, String tagname) {
+     public byte[] toByteArray() throws TransformerConfigurationException, TransformerException {
+         ByteArrayOutputStream bos = new ByteArrayOutputStream();
+         TransformerFactory tranFactory = TransformerFactory.newInstance();
++        tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
++        tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+         Transformer aTransformer = tranFactory.newTransformer();
+         Source src = new DOMSource(mDoc);
+         Result dest = new StreamResult(bos);
+@@ -169,6 +174,8 @@ public byte[] toByteArray() throws TransformerConfigurationException, Transforme
+     public void output(OutputStream os)
+             throws TransformerConfigurationException, TransformerException {
+         TransformerFactory tranFactory = TransformerFactory.newInstance();
++        tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
++        tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+         Transformer aTransformer = tranFactory.newTransformer();
+         Source src = new DOMSource(mDoc);
+         Result dest = new StreamResult(os);
+@@ -177,6 +184,8 @@ public void output(OutputStream os)
+ 
+     public String toXMLString() throws TransformerConfigurationException, TransformerException {
+         TransformerFactory tranFactory = TransformerFactory.newInstance();
++        tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
++        tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+         Transformer transformer = tranFactory.newTransformer();
+         Source src = new DOMSource(mDoc);
+         StreamResult dest = new StreamResult(new StringWriter());
diff --git a/pki-core.spec b/pki-core.spec
index 1025b38..91d03e7 100644
--- a/pki-core.spec
+++ b/pki-core.spec
@@ -4,7 +4,7 @@
 
 Name:                pki-core
 Version:             10.7.3
-Release:             4
+Release:             5
 Summary:             The PKI Core Package
 License:             GPLv2 and LGPLv2
 URL:                 http://www.dogtagpki.org/
@@ -13,6 +13,7 @@ Source1:             https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.g
 Patch1:              0001-Fix-URL-redirection-for-KRA-and-OCSP-web-UI-241.patch
 Patch2:              remove-sslget-V-option.patch
 Patch3:              remove-revoker-V-option.patch
+Patch4:              CVE-2022-2414.patch
 
 BuildRequires:       git make cmake >= 2.8.9-1 gcc-c++ zip java-1.8.0-openjdk-devel
 BuildRequires:       ldapjdk >= 4.21.0 apache-commons-cli apache-commons-codec apache-commons-io
@@ -438,6 +439,9 @@ fi
 %endif
 
 %changelog
+* Wed Jun 28 2023 wangkai <13474090681@163.com> - 10.7.3-5
+- Fix CVE-2022-2414
+
 * Mon Oct 11 2021 wangyue <wangyue92@huawei.com> - 10.7.3-4
 - remove sslget and revoker -V option