CVE-2022-26662 — XML Entity Expansion in Proteus

CWE-776 — XML Entity Expansion5 documents4 sources

Severity

7.5HIGHNVD

EPSS

5.6%

top 9.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tryton Proteus Tryton Trytond Labcenter Electronics Proteus +3 more

Timeline

PublishedMar 10

Latest updateMar 11

Description

An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

▶debiandebian/tryton-server< tryton-proteus 6.0.5-1 (bookworm)

▶NVDtryton/proteus5.0.0 — 5.0.12+2

▶debiandebian/tryton-proteus< tryton-proteus 6.0.5-1 (bookworm)

▶NVDtryton/trytond5.0.0 — 5.0.46+2

▶PyPItryton/trytond5.0.0 — 5.0.46+2

Also affects: Debian Linux 10.0, 11.0, 9.0

Patches

Patch: bugs.tryton.org ↗Patch: bugs.tryton.org ↗

🔴Vulnerability Details

OSV

XML Entity Expansion in trytond and proteus↗2022-03-11

▶

GHSA

XML Entity Expansion in trytond and proteus↗2022-03-11

▶

OSV

CVE-2022-26662: An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5↗2022-03-10

▶

📋Vendor Advisories

Debian

CVE-2022-26662: tryton-proteus - An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platfor...↗2022

▶