First published: Fri Jan 14 2022(Updated: )
It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Prosody Prosody | <0.11.12 | |
redhat/prosody | <0.11.12 | 0.11.12 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-0217 is a vulnerability in Prosody that allows for expansion of recursive entity references from DTDs, which can be exploited by an attacker.
The severity of CVE-2022-0217 is high, with a CVSS score of 7.5.
Prosody version up to exclusive 0.11.12 is affected by CVE-2022-0217.
CVE-2022-0217 can be exploited by providing suitable attacker input to trigger the expansion of recursive entity references from DTDs.
You can find more information about CVE-2022-0217 in the following references: [Reference 1](https://bugzilla.redhat.com/show_bug.cgi?id=2040639), [Reference 2](https://prosody.im/security/advisory_20220113/), [Reference 3](https://prosody.im/security/advisory_20220113/1.patch)