CVE-2022-26662: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
(updated )
An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server.
References
- bugs.tryton.org/issue11244
- discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059
- lists.debian.org/debian-lts-announce/2022/03/msg00016.html
- lists.debian.org/debian-lts-announce/2022/03/msg00017.html
- nvd.nist.gov/vuln/detail/CVE-2022-26662
- www.debian.org/security/2022/dsa-5098
- www.debian.org/security/2022/dsa-5099
Detect and mitigate CVE-2022-26662 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →