CVE-2022-26661

Description

An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system.

How to fix CVE-2022-26661

To remediate CVE-2022-26661, upgrade the affected package to a fixed version below.

• —upgrade to 5.0.1-3+deb10u1 or later
• —upgrade to 5.0.8-1+deb11u1 or later
• —upgrade to 4.2.0-1+deb9u1 or later
• —upgrade to 4.2.1-2+deb9u2 or later
• —upgrade to 5.0.33-2+deb11u1 or later
• —upgrade to 5.0.4-2+deb10u1 or later
• —upgrade to 5.0.12 or later
• —upgrade to 5.0.12 or later
• —upgrade to 5.0.46 or later

Is CVE-2022-26661 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (9)

• from 0, < 5.0.1-3+deb10u1
• from 0, < 5.0.8-1+deb11u1
• from 0, < 4.2.0-1+deb9u1
• from 0, < 4.2.1-2+deb9u2
• from 0, < 5.0.33-2+deb11u1
• from 0, < 5.0.4-2+deb10u1
• >= 5.0.0, < 5.0.12
• >= 5.0.0, < 5.0.12, >= 6.0.0, < 6.0.5, >= 6.2.0, < 6.2.2, < 6.2.6, < 6.0.16, < 5.0.46
• >= 5.0.0, < 5.0.46

CVSS scores

References (10)

• ADVISORYbugs.tryton.org/issue11219
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-26661
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-26661
• PATCHhg.tryton.org/trytond
• WEB