Synopsis
XML parsing vulnerabilities have been found by Jeremy Mousset in trytond and some modules.
With issue11219 an authenticated user can make the server to parse a crafted XML SEPA file to access arbitrary files on the system.
With issue11244 an non authenticated user can sent a crafted XML-RPC message to consume all the resources of the server.
Impact
issue11219
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality: High
- Integrity: None
- Availability: None
issue11244
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality: None
- Integrity: None
- Availability: High
Workaround
It is possible to activate defusedxml, define default lxml parsers that does not resolve entities and upgrade expat to 2.4.1 or newer.
Resolution
All affected users should upgrade trytond and proteus to the latest version.
Affected versions per series:
-
trytond:- 6.2: <= 6.2.5
- 6.0: <= 6.0.15
- 5.0: <= 5.0.45
-
proteus- 6.2: <= 6.2.1
- 6.0: <= 6.0.4
- 5.0: <= 5.0.11
Non affected versions per series:
-
trytond:- 6.2: >= 6.2.6
- 6.0: >= 6.0.16
- 5.0: >= 5.0.46
-
proteus:- 6.2: >= 6.2.2
- 6.0: >= 6.0.5
- 5.0: >= 5.0.12
Reference
- Issue 11219: A user can read the content of files on the machine running trytond by exploiting XEE vulnerability in camt54 parsing - Tryton issue tracker
- Issue 11244: A non authenticated user can cause a denial of service with a single request using an xml bomb attack on xmlrpc - Tryton issue tracker
Concern?
Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the type security.