GHSA-pm3h-mm62-pwm8

Source

https://github.com/advisories/GHSA-pm3h-mm62-pwm8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-pm3h-mm62-pwm8/GHSA-pm3h-mm62-pwm8.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-pm3h-mm62-pwm8

Aliases

Published

2022-03-11T00:02:04Z

Modified

2024-11-21T14:59:33.219130Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

XML Entity Expansion in trytond and proteus

Details

An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server.

Database specific

{
    "nvd_published_at": "2022-03-10T17:47:00Z",
    "github_reviewed_at": "2022-03-28T15:54:14Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-776"
    ]
}

References

Affected packages

PyPI / trytond

Package

Name: trytond; View open source insights on deps.dev
Purl: pkg:pypi/trytond

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.46

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.0.10

5.0.11

5.0.12

5.0.13

5.0.14

5.0.15

5.0.16

5.0.17

5.0.18

5.0.19

5.0.20

5.0.21

5.0.22

5.0.23

5.0.24

5.0.25

5.0.26

5.0.27

5.0.28

5.0.29

5.0.30

5.0.31

5.0.32

5.0.33

5.0.34

5.0.35

5.0.36

5.0.37

5.0.38

5.0.39

5.0.40

5.0.41

5.0.42

5.0.43

5.0.44

5.0.45

PyPI / trytond

Package

Name: trytond; View open source insights on deps.dev
Purl: pkg:pypi/trytond

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.0.16

Affected versions

6.*

6.0.0

6.0.1

6.0.2

6.0.3

6.0.4

6.0.5

6.0.6

6.0.7

6.0.8

6.0.9

6.0.10

6.0.11

6.0.12

6.0.13

6.0.14

6.0.15

PyPI / trytond

Package

Name: trytond; View open source insights on deps.dev
Purl: pkg:pypi/trytond

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.1.0

Fixed

6.2.6

Affected versions

6.*

6.2.0

6.2.1

6.2.2

6.2.3

6.2.4

6.2.5

PyPI / proteus

Package

Name: proteus; View open source insights on deps.dev
Purl: pkg:pypi/proteus

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.12

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.0.10

5.0.11

PyPI / proteus

Package

Name: proteus; View open source insights on deps.dev
Purl: pkg:pypi/proteus

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.0.5

Affected versions

6.*

6.0.0

6.0.1

6.0.2

6.0.3

6.0.4

PyPI / proteus

Package

Name: proteus; View open source insights on deps.dev
Purl: pkg:pypi/proteus

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.1.0

Fixed

6.2.2

Affected versions

6.*

6.2.0

6.2.1