XML Parsing Vulnerability in Prosody XMPP Server by Prosody IM
CVE-2022-0217

7.5HIGH

Key Information:

Vendor

Prosody

Status
Prosody
Vendor
CVE Published:
26 August 2022

What is CVE-2022-0217?

An internal library within the Prosody XMPP Server has been found to inadequately restrict XML features during data parsing, allowing the possibility of recursive entity reference expansion from DTDs. This loophole can potentially be exploited by attackers to manipulate XML data, leading to unauthorized access. Additionally, depending on the version of the libexpat library utilized, this flaw may also enable XML External Entity references injections, which can compromise the integrity of the server and expose sensitive information.

Affected Version(s)

prosody Fixed in prosody 0.11.12, Affects all versions with support for WebSockets.

References

https://bugzilla.redhat.com/show_bug.cgi?id=2040639
x_refsource_MISC
https://prosody.im/security/advisory_20220113/
x_refsource_MISC
https://prosody.im/security/advisory_20220113/1.patch
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.