Security Release for issue11219 and issue11244

Synopsis

XML parsing vulnerabilities have been found by Jeremy Mousset in trytond and some modules.
With issue11219 an authenticated user can make the server to parse a crafted XML SEPA file to access arbitrary files on the system.
With issue11244 an non authenticated user can sent a crafted XML-RPC message to consume all the resources of the server.

Impact

issue11219

CVSS v3.0 Base Score: 6.5

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality: High
  • Integrity: None
  • Availability: None

issue11244

CVSS v3.0 Base Score: 7.5

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality: None
  • Integrity: None
  • Availability: High

Workaround

It is possible to activate defusedxml, define default lxml parsers that does not resolve entities and upgrade expat to 2.4.1 or newer.

Resolution

All affected users should upgrade trytond and proteus to the latest version.

Affected versions per series:

  • trytond:

    • 6.2: <= 6.2.5
    • 6.0: <= 6.0.15
    • 5.0: <= 5.0.45
  • proteus

    • 6.2: <= 6.2.1
    • 6.0: <= 6.0.4
    • 5.0: <= 5.0.11

Non affected versions per series:

  • trytond:

    • 6.2: >= 6.2.6
    • 6.0: >= 6.0.16
    • 5.0: >= 5.0.46
  • proteus:

    • 6.2: >= 6.2.2
    • 6.0: >= 6.0.5
    • 5.0: >= 5.0.12

Reference

Concern?

Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the type security.

2 Likes

CVE

FTR I requested CVE numbers from mitre.org.

Please use
CVE-2022-26661 for issue11219
and
CVE-2022-26662 for issue11244

This topic was automatically closed after 30 days. New replies are no longer allowed.