CVE-2022-26662
XML Entity Expansion in trytond and proteus
7.5
HIGH
CVSS 3.1
EPSS 5.6%
Description
An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server.
How to fix CVE-2022-26662
To remediate CVE-2022-26662, upgrade the affected package to a fixed version below.
- —upgrade to 5.0.8-1+deb11u1 or later
- —upgrade to 5.0.33-2+deb11u1 or later
- —upgrade to 5.0.12 or later
- —upgrade to 5.0.12 or later
- —upgrade to 5.0.46 or later
Is CVE-2022-26662 being exploited?
Moderate — EPSS is 5.6%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (5)
- from 0, < 5.0.8-1+deb11u1
- from 0, < 5.0.33-2+deb11u1
- >= 5.0.0, < 5.0.12
- >= 5.0.0, < 5.0.12, >= 6.0.0, < 6.0.5, >= 6.2.0, < 6.2.2, < 6.2.6, < 6.0.16, < 5.0.46
- >= 5.0.0, < 5.0.46
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |