Vulnerability Details : CVE-2022-26662
An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server.
Products affected by CVE-2022-26662
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
- cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*
- cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*
- cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*
- cpe:2.3:a:tryton:proteus:*:*:*:*:*:*:*:*
- cpe:2.3:a:tryton:proteus:*:*:*:*:*:*:*:*
- cpe:2.3:a:tryton:proteus:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-26662
0.83%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 83 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-26662
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2022-26662
-
The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-26662
-
https://www.debian.org/security/2022/dsa-5099
Debian -- Security Information -- DSA-5099-1 tryton-proteusThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html
[SECURITY] [DLA 2946-1] tryton-proteus security updateMailing List;Third Party Advisory
-
https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059
Security Release for issue11219 and issue11244 - News - Tryton DiscussionVendor Advisory
-
https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html
[SECURITY] [DLA 2945-1] tryton-server security updateMailing List;Third Party Advisory
-
https://www.debian.org/security/2022/dsa-5098
Debian -- Security Information -- DSA-5098-1 tryton-serverThird Party Advisory
-
https://bugs.tryton.org/issue11244
Issue 11244: A non authenticated user can cause a denial of service with a single request using an xml bomb attack on xmlrpc - Tryton issue trackerPatch;Vendor Advisory
Jump to