← Volver a CVEs
CVE-2022-0217
HIGH7.5
Descripcion
It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).
Detalles CVE
Puntuacion CVSS v3.17.5
SeveridadHIGH
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioNONE
Publicado8/26/2022
Ultima modificacion11/21/2024
Fuentenvd
Avistamientos honeypot0
Productos afectados
prosody:prosody
Debilidades (CWE)
CWE-776CWE-611CWE-776
Referencias
https://bugzilla.redhat.com/show_bug.cgi?id=2040639(secalert@redhat.com)
https://prosody.im/security/advisory_20220113/(secalert@redhat.com)
https://prosody.im/security/advisory_20220113/1.patch(secalert@redhat.com)
https://bugzilla.redhat.com/show_bug.cgi?id=2040639(af854a3a-2127-422b-91ae-364da2661108)
https://prosody.im/security/advisory_20220113/(af854a3a-2127-422b-91ae-364da2661108)
https://prosody.im/security/advisory_20220113/1.patch(af854a3a-2127-422b-91ae-364da2661108)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.