Vulnerability Details : CVE-2022-0217
It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).
Vulnerability category: XML external entity (XXE) injectionInput validation
Products affected by CVE-2022-0217
- cpe:2.3:a:prosody:prosody:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-0217
0.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 45 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-0217
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2022-0217
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: secalert@redhat.com (Secondary)
-
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.Assigned by: nvd@nist.gov (Primary)
-
The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
References for CVE-2022-0217
-
https://prosody.im/security/advisory_20220113/1.patch
Patch;Vendor Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=2040639
2040639 – (CVE-2022-0217) CVE-2022-0217 prosody: unauthenticated remote Denial of Service AttackIssue Tracking;Third Party Advisory
-
https://prosody.im/security/advisory_20220113/
Prosody XMPP server advisory 2022-01-13 (Remote Denial of Service)Exploit;Patch;Vendor Advisory
Jump to