XML Entity Expansion in Tryton Application Platform (Server) and Tryton Application Platform (Console Client)

#VU61540 XML Entity Expansion in Tryton Application Platform (Server) and Tryton Application Platform (Console Client)

Published: 2022-03-22

Vulnerability identifier: #VU61540

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-26662

CWE-ID: CWE-776

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Tryton Application Platform (Server)
Server applications / Application servers
Tryton Application Platform (Console Client)
Client/Desktop applications / Software for system administration

Vendor: Tryton

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied XML input. A remote attacker can send a specially crafted ML-RPC message to consume all available resources on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Tryton Application Platform (Server): 6.2.0 - 6.2.5, 6.0.0 - 6.0.15, 5.0.0 - 5.0.45

Tryton Application Platform (Console Client): 5.0.0 - 6.2.1

External links
http://bugs.tryton.org/issue11219
http://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Debian update for tryton-proteus

Debian update for tryton-server

Multiple vulnerabilities in Tryton Application Platform Server and Console Client