Vulnerability-Lookup

CVE-2022-26661 (GCVE-0-2022-26661)

Vulnerability from cvelistv5 – Published: 2022-03-07 22:40 – Updated: 2024-08-03 05:11

Summary

An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

FKIE_CVE-2022-26661

Vulnerability from fkie_nvd - Published: 2022-03-10 17:47 - Updated: 2024-11-21 06:54

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
cve@mitre.org	https://bugs.tryton.org/issue11219	Exploit, Issue Tracking, Vendor Advisory
cve@mitre.org	https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059	Vendor Advisory
cve@mitre.org	https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html	Mailing List, Third Party Advisory
cve@mitre.org	https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html	Mailing List, Third Party Advisory
cve@mitre.org	https://www.debian.org/security/2022/dsa-5098	Third Party Advisory
cve@mitre.org	https://www.debian.org/security/2022/dsa-5099	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://bugs.tryton.org/issue11219	Exploit, Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.debian.org/security/2022/dsa-5098	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.debian.org/security/2022/dsa-5099	Third Party Advisory

Impacted products

Vendor	Product	Version
tryton	proteus	*
tryton	proteus	*
tryton	proteus	*
tryton	trytond	*
tryton	trytond	*
tryton	trytond	*
debian	debian_linux	9.0
debian	debian_linux	10.0
debian	debian_linux	11.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:tryton:proteus:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1D19FC38-D40C-4A7C-99E3-42621FE4C431",
              "versionEndExcluding": "5.0.12",
              "versionStartIncluding": "5.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tryton:proteus:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BE9FF23A-193D-4259-8F56-210FFCFE9576",
              "versionEndExcluding": "6.0.5",
              "versionStartIncluding": "6.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tryton:proteus:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "56DC449B-B042-4FDD-B7B7-9CFF27A008FE",
              "versionEndExcluding": "6.2.2",
              "versionStartIncluding": "6.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BAC63578-DEAD-4070-9C57-18B57104F94B",
              "versionEndExcluding": "5.0.46",
              "versionStartIncluding": "5.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "49798AD5-E1A7-46DE-B0AC-9F6BA201BBCB",
              "versionEndExcluding": "6.0.16",
              "versionStartIncluding": "6.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4FA10D50-8E3E-47F0-8C6A-F849F27B5F44",
              "versionEndExcluding": "6.2.6",
              "versionStartIncluding": "6.2.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system."
    },
    {
      "lang": "es",
      "value": "Se ha detectado un problema de tipo XXE en Tryton Application Platform (Server) versiones 5.x hasta 5.0.45, versiones 6.x hasta 6.0.15, y versiones 6.1.x y 6.2.x hasta 6.2.5, y Tryton Application Platform (Command Line Client (proteus)) versiones 5.x hasta 5.0.11, versiones 6.x hasta 6.0.4, y versiones 6.1.x y 6.2.x hasta 6.2.1. Un usuario autenticado puede hacer que el servidor analice un archivo XML SEPA dise\u00f1ado para acceder a archivos arbitrarios en el sistema"
    }
  ],
  "id": "CVE-2022-26661",
  "lastModified": "2024-11-21T06:54:16.947",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-03-10T17:47:52.213",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugs.tryton.org/issue11219"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2022/dsa-5098"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2022/dsa-5099"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugs.tryton.org/issue11219"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2022/dsa-5098"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2022/dsa-5099"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-611"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2022-26661

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-26661

Aliases

CVE-2022-26661

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-26661",
    "description": "An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system.",
    "id": "GSD-2022-26661",
    "references": [
      "https://www.debian.org/security/2022/dsa-5099",
      "https://www.debian.org/security/2022/dsa-5098",
      "https://www.suse.com/security/cve/CVE-2022-26661.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-26661"
      ],
      "details": "An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system.",
      "id": "GSD-2022-26661",
      "modified": "2023-12-13T01:19:38.696974Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2022-26661",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://bugs.tryton.org/issue11219",
            "refsource": "MISC",
            "url": "https://bugs.tryton.org/issue11219"
          },
          {
            "name": "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059",
            "refsource": "MISC",
            "url": "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059"
          },
          {
            "name": "[debian-lts-announce] 20220310 [SECURITY] [DLA 2945-1] tryton-server security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html"
          },
          {
            "name": "[debian-lts-announce] 20220311 [SECURITY] [DLA 2946-1] tryton-proteus security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html"
          },
          {
            "name": "DSA-5098",
            "refsource": "DEBIAN",
            "url": "https://www.debian.org/security/2022/dsa-5098"
          },
          {
            "name": "DSA-5099",
            "refsource": "DEBIAN",
            "url": "https://www.debian.org/security/2022/dsa-5099"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=5.0.0,\u003c5.0.12||\u003e=6.0.0,\u003c6.0.5||\u003e=6.1.0,\u003c6.2.2",
          "affected_versions": "All versions starting from 5.0.0 before 5.0.12, all versions starting from 6.0.0 before 6.0.5, all versions starting from 6.1.0 before 6.2.2",
          "cvss_v2": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-611",
            "CWE-937"
          ],
          "date": "2022-03-29",
          "description": "An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system.",
          "fixed_versions": [
            "5.0.12",
            "6.0.5",
            "6.2.2"
          ],
          "identifier": "CVE-2022-26661",
          "identifiers": [
            "GHSA-cj78-rgw3-4h5p",
            "CVE-2022-26661"
          ],
          "not_impacted": "All versions before 5.0.0, all versions starting from 5.0.12 before 6.0.0, all versions starting from 6.0.5 before 6.1.0, all versions starting from 6.2.2",
          "package_slug": "pypi/proteus",
          "pubdate": "2022-03-11",
          "solution": "Upgrade to versions 5.0.12, 6.0.5, 6.2.2 or above.",
          "title": "Improper Restriction of XML External Entity Reference",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-26661",
            "https://bugs.tryton.org/issue11219",
            "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059",
            "https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html",
            "https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html",
            "https://www.debian.org/security/2022/dsa-5098",
            "https://www.debian.org/security/2022/dsa-5099",
            "https://github.com/advisories/GHSA-cj78-rgw3-4h5p"
          ],
          "uuid": "17ea499b-d3de-4728-917a-628e31f67ecc"
        },
        {
          "affected_range": "\u003e=5.0.0,\u003c5.0.46||\u003e=6.0.0,\u003c6.0.16||\u003e=6.2.0,\u003c6.2.6",
          "affected_versions": "All versions starting from 5.0.0 before 5.0.46, all versions starting from 6.0.0 before 6.0.16, all versions starting from 6.2.0 before 6.2.6",
          "cvss_v2": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-611",
            "CWE-937"
          ],
          "date": "2022-03-18",
          "description": "An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system.",
          "fixed_versions": [
            "5.0.46",
            "6.0.16",
            "6.2.6"
          ],
          "identifier": "CVE-2022-26661",
          "identifiers": [
            "CVE-2022-26661"
          ],
          "not_impacted": "All versions before 5.0.0, all versions starting from 5.0.46 before 6.0.0, all versions starting from 6.0.16 before 6.2.0, all versions starting from 6.2.6",
          "package_slug": "pypi/trytond",
          "pubdate": "2022-03-10",
          "solution": "Upgrade to versions 5.0.46, 6.0.16, 6.2.6 or above.",
          "title": "Improper Restriction of XML External Entity Reference",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-26661",
            "https://bugs.tryton.org/issue11219",
            "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059",
            "https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html",
            "https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html",
            "https://www.debian.org/security/2022/dsa-5098",
            "https://www.debian.org/security/2022/dsa-5099"
          ],
          "uuid": "28a6d82d-3ac2-4c12-b255-81c40a72654b"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:tryton:proteus:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "5.0.12",
                "versionStartIncluding": "5.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tryton:proteus:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "6.0.5",
                "versionStartIncluding": "6.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tryton:proteus:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "6.2.2",
                "versionStartIncluding": "6.2.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "5.0.46",
                "versionStartIncluding": "5.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "6.0.16",
                "versionStartIncluding": "6.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "6.2.6",
                "versionStartIncluding": "6.2.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2022-26661"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-611"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugs.tryton.org/issue11219",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Issue Tracking",
                "Vendor Advisory"
              ],
              "url": "https://bugs.tryton.org/issue11219"
            },
            {
              "name": "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059"
            },
            {
              "name": "[debian-lts-announce] 20220310 [SECURITY] [DLA 2945-1] tryton-server security update",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html"
            },
            {
              "name": "[debian-lts-announce] 20220311 [SECURITY] [DLA 2946-1] tryton-proteus security update",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html"
            },
            {
              "name": "DSA-5098",
              "refsource": "DEBIAN",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://www.debian.org/security/2022/dsa-5098"
            },
            {
              "name": "DSA-5099",
              "refsource": "DEBIAN",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://www.debian.org/security/2022/dsa-5099"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-03-18T14:46Z",
      "publishedDate": "2022-03-10T17:47Z"
    }
  }
}

PYSEC-2022-43170

Vulnerability from pysec - Published: 2022-03-10 17:47 - Updated: 2024-11-21 14:23

Details

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Impacted products

Name	purl
tryton	pkg:pypi/tryton

Aliases

CVE-2022-26661

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tryton",
        "purl": "pkg:pypi/tryton"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.0.12"
            },
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.0.5"
            },
            {
              "introduced": "6.2.0"
            },
            {
              "fixed": "6.2.2"
            },
            {
              "fixed": "6.2.6"
            },
            {
              "fixed": "6.0.16"
            },
            {
              "fixed": "5.0.46"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "5.0.0",
        "5.0.1",
        "5.0.10",
        "5.0.11",
        "5.0.2",
        "5.0.3",
        "5.0.4",
        "5.0.5",
        "5.0.6",
        "5.0.7",
        "5.0.8",
        "5.0.9",
        "6.0.0",
        "6.0.1",
        "6.0.2",
        "6.0.3",
        "6.0.4",
        "6.2.0",
        "6.2.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-26661"
  ],
  "details": "An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system.",
  "id": "PYSEC-2022-43170",
  "modified": "2024-11-21T14:23:02.248212+00:00",
  "published": "2022-03-10T17:47:00+00:00",
  "references": [
    {
      "type": "EVIDENCE",
      "url": "https://bugs.tryton.org/issue11219"
    },
    {
      "type": "REPORT",
      "url": "https://bugs.tryton.org/issue11219"
    },
    {
      "type": "ADVISORY",
      "url": "https://bugs.tryton.org/issue11219"
    },
    {
      "type": "ADVISORY",
      "url": "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059"
    },
    {
      "type": "ARTICLE",
      "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html"
    },
    {
      "type": "ARTICLE",
      "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html"
    },
    {
      "type": "ADVISORY",
      "url": "https://www.debian.org/security/2022/dsa-5098"
    },
    {
      "type": "ADVISORY",
      "url": "https://www.debian.org/security/2022/dsa-5099"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CJ78-RGW3-4H5P

Vulnerability from github – Published: 2022-03-11 00:02 – Updated: 2022-03-28 15:56

Summary

Improper Restriction of XML External Entity Reference in trytond and proteus

Details

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "trytond"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.0.46"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "trytond"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.0.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "trytond"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.1.0"
            },
            {
              "fixed": "6.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "proteus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.0.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "proteus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "proteus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.1.0"
            },
            {
              "fixed": "6.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-26661"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-28T15:56:00Z",
    "nvd_published_at": "2022-03-10T17:47:00Z",
    "severity": "MODERATE"
  },
  "details": "An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system.",
  "id": "GHSA-cj78-rgw3-4h5p",
  "modified": "2022-03-28T15:56:00Z",
  "published": "2022-03-11T00:02:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26661"
    },
    {
      "type": "WEB",
      "url": "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059"
    },
    {
      "type": "WEB",
      "url": "https://foss.heptapod.net/tryton/tryton/-/issues/11219"
    },
    {
      "type": "PACKAGE",
      "url": "https://hg.tryton.org/trytond"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5098"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5099"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Restriction of XML External Entity Reference in trytond and proteus"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-26661 (GCVE-0-2022-26661)

FKIE_CVE-2022-26661

GSD-2022-26661

PYSEC-2022-43170

GHSA-CJ78-RGW3-4H5P

Tags

Sightings

Nomenclature