CVE-2022-26662
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2022-26662
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 6.0.5-1 |
| debian | bullseye | fixed | 5.0.8-1+deb11u1 |
| debian | forky | fixed | 6.0.5-1 |
| debian | sid | fixed | 6.0.5-1 |
| debian | trixie | fixed | 6.0.5-1 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2022-26662
- https://bugs.tryton.org/issue11244
- https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059
- https://hg.tryton.org/trytond
- https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html
- https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html
- https://www.debian.org/security/2022/dsa-5098
- https://www.debian.org/security/2022/dsa-5099
- https://security-tracker.debian.org/tracker/CVE-2022-26662
Verify integrity in audit chain (admin only). AS-IS.