CVE-2022-0217 Vulnerability Details

  /     /     /  

CVE-2022-0217 Metadata Quick Info

CVE Published: 26/08/2022 | CVE Updated: 02/08/2024 | CVE Year: 2022
Source: redhat | Vendor: n/a | Product: prosody
Status : PUBLISHED

---

CVE-2022-0217 Description

It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).

Metrics

CVSS Version: 3.1 | Base Score: n/a
Vector: n/a

l➤ Exploitability Metrics:
    Attack Vector (AV)*
    Attack Complexity (AC)*
    Privileges Required (PR)*
    User Interaction (UI)*
    Scope (S)*

l➤ Impact Metrics:
    Confidentiality Impact (C)*
    Integrity Impact (I)*
    Availability Impact (A)*

Weakness Enumeration (CWE)

CWE-ID: CWE-776
CWE Name: CWE-776 - Improper Restriction of Recursive Entity References in DTDs ( XML Entity Expansion ), CWE-20 - Improper Input Validation.
Source: n/a

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).