CVE-2022-0217
HIGHprosody < 0.11.12 - XML External Entity Injection via libexpat Library
Title source: llmDescription
It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).
References (3)
Core 3
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=2040639
Exploit, Patch, Vendor Advisory x_refsource_misc
https://prosody.im/security/advisory_20220113/
Patch, Vendor Advisory x_refsource_misc
https://prosody.im/security/advisory_20220113/1.patch
Scores
CVSS v3
7.5
EPSS
0.0440
EPSS Percentile
90.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-776
CWE-611
Status
published
Products (1)
prosody/prosody
< 0.11.12
Published
Aug 26, 2022
Tracked Since
Feb 18, 2026