CVE-2022-0217 — XML Entity Expansion in Prosody

CWE-776 — XML Entity Expansion CWE-611 — XML External Entity (XXE) Injection3 documents3 sources

Severity

7.5HIGHNVD

EPSS

0.5%

top 36.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Prosody Debian Prosody

Timeline

PublishedAug 26

Description

It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/prosody< prosody 0.11.12-1 (bookworm)

▶NVDprosody/prosody< 0.11.12

▶Debianprosody/prosody< 0.11.9-2+deb11u1+3

▶CVEListV5prosody/prosodyFixed in prosody 0.11.12, Affects all versions with support for WebSockets.

Patches

Patch: prosody.im ↗Patch: prosody.im ↗Patch: prosody.im ↗

🔴Vulnerability Details

OSV

CVE-2022-0217: It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML dat↗2022-08-26

▶

📋Vendor Advisories

Debian

CVE-2022-0217: prosody - It was discovered that an internal Prosody library to load XML based on libexpat...↗2022

▶