Bug 1197033 (CVE-2022-26662)

Summary: VUL-0: CVE-2022-26662: trytond: unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server
Product: [openSUSE] openSUSE Distribution Reporter: Alexander Bergmann <abergmann>
Component: BasesystemAssignee: Axel Braun <axel.braun>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: eldy
Version: Leap 15.3   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/325790/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2022-03-11 14:36:51 UTC
CVE-2022-26662

An XML Entity Expansion (XEE) issue was discovered in Tryton Application
Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x
through 6.2.5, and Tryton Application Platform (Command Line Client (proteus))
5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An
unauthenticated user can send a crafted XML-RPC message to consume all the
resources of the server.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26662
http://www.debian.org/security/-1/dsa-5099
http://www.debian.org/security/-1/dsa-5098
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26662
https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059
https://bugs.tryton.org/issue11244
Comment 1 Axel Braun 2022-03-12 15:05:20 UTC
issue is fixed in
https://build.opensuse.org/request/show/959299
https://build.opensuse.org/request/show/959366

https://smash.suse.de/issue/325790/ is not a valid URL (page not found).
Please avoid SUSE-internal machines for openSUSE Bugs
Comment 2 Axel Braun 2022-05-02 10:11:29 UTC
Versions including security fix are already shipped -> closing