CVE-2022-0217

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-0217

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-0217.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-0217

Related

Published

2022-08-26T18:15:08Z

Modified

2024-09-18T03:18:57.019429Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).

References

Affected packages

Debian:11 / prosody

Package

Name: prosody
Purl: pkg:deb/debian/prosody?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.11.9-2+deb11u1

Affected versions

0.*

0.11.9-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / prosody

Package

Name: prosody
Purl: pkg:deb/debian/prosody?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.11.12-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / prosody

Package

Name: prosody
Purl: pkg:deb/debian/prosody?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.11.12-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}