CVE-2022-0217
Last modified
CVE-2022-0217 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). EPSS estimates a 4.40% chance of exploitation in the next 30 days.
Description
It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Prosody | Prosody | < 0.11.12 |
References
- https://bugzilla.redhat.com/show_bug.cgi?id=2040639Issue Tracking, Third Party Advisory
- https://prosody.im/security/advisory_20220113/Exploit, Patch, Vendor Advisory
- https://prosody.im/security/advisory_20220113/1.patchPatch, Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2040639Issue Tracking, Third Party Advisory
- https://prosody.im/security/advisory_20220113/Exploit, Patch, Vendor Advisory
- https://prosody.im/security/advisory_20220113/1.patchPatch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-0217?
How severe is CVE-2022-0217?
How do I fix CVE-2022-0217?
Are you affected by CVE-2022-0217?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST