It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).
References
Link | Resource |
---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=2040639 | Issue Tracking Third Party Advisory |
https://prosody.im/security/advisory_20220113/ | Exploit Patch Vendor Advisory |
https://prosody.im/security/advisory_20220113/1.patch | Patch Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: redhat
Published: 2022-08-26T17:25:47
Updated: 2022-08-26T17:25:47
Reserved: 2022-01-13T00:00:00
Link: CVE-2022-0217
JSON object: View
NVD Information
Status : Modified
Published: 2022-08-26T18:15:08.833
Modified: 2023-11-07T03:41:09.607
Link: CVE-2022-0217
JSON object: View
Redhat Information
No data.