CVE-2022-0217

HIGH

Prosody - Info Disclosure

Title source: llm

Description

It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).

References (3)

[Issue Tracking, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=2040639

[Exploit, Patch, Vendor Advisory] https://prosody.im/security/advisory_20220113/

[Patch, Vendor Advisory] https://prosody.im/security/advisory_20220113/1.patch

Scores

CVSS v3 7.5

EPSS 0.0046

EPSS Percentile 63.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-776 CWE-611

Status published

Products (1)

prosody/prosody < 0.11.12

Published Aug 26, 2022

Tracked Since Feb 18, 2026