CVE-2022-26661
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2022-26661
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 6.0.5-1 |
| debian | bullseye | fixed | 5.0.8-1+deb11u1 |
| debian | forky | fixed | 6.0.5-1 |
| debian | sid | fixed | 6.0.5-1 |
| debian | trixie | fixed | 6.0.5-1 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2022-26661
- https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059
- https://foss.heptapod.net/tryton/tryton/-/issues/11219
- https://hg.tryton.org/trytond
- https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html
- https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html
- https://www.debian.org/security/2022/dsa-5098
- https://www.debian.org/security/2022/dsa-5099
- https://bugs.tryton.org/issue11219
- https://security-tracker.debian.org/tracker/CVE-2022-26661
Verify integrity in audit chain (admin only). AS-IS.