GHSA-pm3h-mm62-pwm8

Suggest an improvement
Source
https://github.com/advisories/GHSA-pm3h-mm62-pwm8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-pm3h-mm62-pwm8/GHSA-pm3h-mm62-pwm8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-pm3h-mm62-pwm8
Aliases
Published
2022-03-11T00:02:04Z
Modified
2024-11-21T14:57:07.796966Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
XML Entity Expansion in trytond and proteus
Details

An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server.

Database specific
{
    "nvd_published_at": "2022-03-10T17:47:00Z",
    "github_reviewed_at": "2022-03-28T15:54:14Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-776"
    ]
}
References

Affected packages

PyPI / trytond

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.0.46

Affected versions

5.*

5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.0.10
5.0.11
5.0.12
5.0.13
5.0.14
5.0.15
5.0.16
5.0.17
5.0.18
5.0.19
5.0.20
5.0.21
5.0.22
5.0.23
5.0.24
5.0.25
5.0.26
5.0.27
5.0.28
5.0.29
5.0.30
5.0.31
5.0.32
5.0.33
5.0.34
5.0.35
5.0.36
5.0.37
5.0.38
5.0.39
5.0.40
5.0.41
5.0.42
5.0.43
5.0.44
5.0.45

PyPI / trytond

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.16

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6
6.0.7
6.0.8
6.0.9
6.0.10
6.0.11
6.0.12
6.0.13
6.0.14
6.0.15

PyPI / trytond

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.1.0
Fixed
6.2.6

Affected versions

6.*

6.2.0
6.2.1
6.2.2
6.2.3
6.2.4
6.2.5

PyPI / proteus

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.0.12

Affected versions

5.*

5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.0.10
5.0.11

PyPI / proteus

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.5

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4

PyPI / proteus

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.1.0
Fixed
6.2.2

Affected versions

6.*

6.2.0
6.2.1