Описание
XML Entity Expansion in trytond and proteus
An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2022-26662
- https://bugs.tryton.org/issue11244
- https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059
- https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html
- https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html
- https://www.debian.org/security/2022/dsa-5098
- https://www.debian.org/security/2022/dsa-5099
Пакеты
trytond
>= 5.0.0, < 5.0.46
5.0.46
trytond
>= 6.0.0, < 6.0.16
6.0.16
trytond
>= 6.1.0, < 6.2.6
6.2.6
proteus
>= 5.0.0, < 5.0.12
5.0.12
proteus
>= 6.0.0, < 6.0.5
6.0.5
proteus
>= 6.1.0, < 6.2.2
6.2.2
Связанные уязвимости
An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server.
An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server.
An XML Entity Expansion (XEE) issue was discovered in Tryton Applicati ...