← Voltar para CVEs
CVE-2022-0217
HIGH7.5
Descricao
It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).
Detalhes CVE
Pontuacao CVSS v3.17.5
SeveridadeHIGH
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado8/26/2022
Ultima modificacao11/21/2024
Fontenvd
Avistamentos honeypot0
Produtos afetados
prosody:prosody
Fraquezas (CWE)
CWE-776CWE-611CWE-776
Referencias
https://bugzilla.redhat.com/show_bug.cgi?id=2040639(secalert@redhat.com)
https://prosody.im/security/advisory_20220113/(secalert@redhat.com)
https://prosody.im/security/advisory_20220113/1.patch(secalert@redhat.com)
https://bugzilla.redhat.com/show_bug.cgi?id=2040639(af854a3a-2127-422b-91ae-364da2661108)
https://prosody.im/security/advisory_20220113/(af854a3a-2127-422b-91ae-364da2661108)
https://prosody.im/security/advisory_20220113/1.patch(af854a3a-2127-422b-91ae-364da2661108)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.