Bugzilla – Bug 1197033
VUL-0: CVE-2022-26662: trytond: unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server
Last modified: 2022-05-02 10:11:29 UTC
CVE-2022-26662 An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26662 http://www.debian.org/security/-1/dsa-5099 http://www.debian.org/security/-1/dsa-5098 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26662 https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059 https://bugs.tryton.org/issue11244
issue is fixed in https://build.opensuse.org/request/show/959299 https://build.opensuse.org/request/show/959366 https://smash.suse.de/issue/325790/ is not a valid URL (page not found). Please avoid SUSE-internal machines for openSUSE Bugs
Versions including security fix are already shipped -> closing