CVE-2022-0217
Summary
| CVE | CVE-2022-0217 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-08-26 18:15:00 UTC |
| Updated | 2023-11-07 03:41:00 UTC |
| Description | It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611). |
Risk And Classification
Problem Types: CWE-611 | CWE-776
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| 2040639 – (CVE-2022-0217) CVE-2022-0217 prosody: unauthenticated remote Denial of Service Attack | MISC | bugzilla.redhat.com | |
| prosody.im/security/advisory_20220113/1.patch | MISC | prosody.im | |
| Prosody XMPP server advisory 2022-01-13 (Remote Denial of Service) | MISC | prosody.im | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 179004 Debian Security Update for prosody (DSA 5047-1)
- 183392 Debian Security Update for prosody (CVE-2022-0217)
- 282272 Fedora Security Update for prosody (FEDORA-2022-426ea6c0b7)
- 282278 Fedora Security Update for prosody (FEDORA-2022-50afc572a4)
- 502165 Alpine Linux Security Update for prosody
- 690773 Free Berkeley Software Distribution (FreeBSD) Security Update for prosody xmpp server advisory 2022-01-13 (e3ec8b30-757b-11ec-922f-654747404482)