Vulnerability DatabaseCVE-2022-0217
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2022-0217
August 26, 2022
It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).
Related Resources (7)
https://prosody.im/security/advisory_20220113/1.patch
https://bugzilla.redhat.com/show_bug.cgi?id=2040639
https://people.canonical.com/~ubuntu-security/cve/CVE-2022-0217
https://security.alpinelinux.org/vuln/CVE-2022-0217
https://security-tracker.debian.org/tracker/CVE-2022-0217
https://prosody.im/security/advisory_20220113/
https://github.com/bjc/prosody/commit/23a43df6fb5d3928c66f90d5c4475bca15694673
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
Weakness Type (CWE)
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CWE-776
EPSS
Base Score:
0.46