ced
(Cédric Krier)
1
Synopsis
XML parsing vulnerabilities have been found by Jeremy Mousset in trytond and some modules.
With issue11219 an authenticated user can make the server to parse a crafted XML SEPA file to access arbitrary files on the system.
With issue11244 an non authenticated user can sent a crafted XML-RPC message to consume all the resources of the server.
Impact
issue11219
CVSS v3.0 Base Score: 6.5
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality: High
- Integrity: None
- Availability: None
issue11244
CVSS v3.0 Base Score: 7.5
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality: None
- Integrity: None
- Availability: High
Workaround
It is possible to activate defusedxml, define default lxml parsers that does not resolve entities and upgrade expat to 2.4.1 or newer.
Resolution
All affected users should upgrade trytond and proteus to the latest version.
Affected versions per series:
-
trytond:
- 6.2: <= 6.2.5
- 6.0: <= 6.0.15
- 5.0: <= 5.0.45
-
proteus
- 6.2: <= 6.2.1
- 6.0: <= 6.0.4
- 5.0: <= 5.0.11
Non affected versions per series:
-
trytond:
- 6.2: >= 6.2.6
- 6.0: >= 6.0.16
- 5.0: >= 5.0.46
-
proteus:
- 6.2: >= 6.2.2
- 6.0: >= 6.0.5
- 5.0: >= 5.0.12
Reference
Concern?
Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the type security.
2 Likes
yangoon
(Mathias Behrle)
2
CVE
FTR I requested CVE numbers from mitre.org.
Please use
CVE-2022-26661 for issue11219
and
CVE-2022-26662 for issue11244
system
(system)
Closed
3
This topic was automatically closed after 30 days. New replies are no longer allowed.