Vulnerabilities > CVE-2022-26662 - XML Entity Expansion vulnerability in multiple products

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

tryton

debian

CWE-776

NVD

Published: 2022-03-10

Updated: 2022-03-18

Summary

An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server.

Vulnerable Configurations

Part	Description	Count
Application	Tryton Tryton Proteus 5.0.0 Tryton Proteus 5.0.11 Tryton Proteus 6.0.0 Tryton Proteus 6.0.4 Tryton Proteus 6.2.0 Tryton Proteus 6.2.1 Tryton Trytond 6.2.0 Tryton Trytond 6.2.5 Tryton Trytond 6.0.0 Tryton Trytond 6.0.15 Tryton Trytond 5.0.0 Tryton Trytond 5.0.1 Tryton Trytond 5.0.2 Tryton Trytond 5.0.3 Tryton Trytond 5.0.4 Tryton Trytond 5.0.5 Tryton Trytond 5.0.6 Tryton Trytond 5.0.7 Tryton Trytond 5.0.8 Tryton Trytond 5.0.9 Tryton Trytond 5.0.10 Tryton Trytond 5.0.11 Tryton Trytond 5.0.12 Tryton Trytond 5.0.13 Tryton Trytond 5.0.14 Tryton Trytond 5.0.15 Tryton Trytond 5.0.16 Tryton Trytond 5.0.17 Tryton Trytond 5.0.18 Tryton Trytond 5.0.19 Tryton Trytond 5.0.20 Tryton Trytond 5.0.21 Tryton Trytond 5.0.22 Tryton Trytond 5.0.23 Tryton Trytond 5.0.24 Tryton Trytond 5.0.25 Tryton Trytond 5.0.45	37
OS	Debian Debian Debian Linux 9.0 Debian Debian Linux 10.0 Debian Debian Linux 11.0	3

Common Weakness Enumeration (CWE)

CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References