CVE-2022-26662

HIGH

Tryton Application Platform <5.0.45-6.2.5 - DoS

Title source: llm

Description

An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server.

References (6)

[Vendor Advisory] https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059

[Patch, Vendor Advisory] https://bugs.tryton.org/issue11244

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html

[Third Party Advisory] https://www.debian.org/security/2022/dsa-5098

[Third Party Advisory] https://www.debian.org/security/2022/dsa-5099

Scores

CVSS v3 7.5

EPSS 0.0558

EPSS Percentile 90.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-776

Status published

Products (7)

debian/debian_linux 9.0

debian/debian_linux 10.0

debian/debian_linux 11.0

pypi/proteus 5.0.0 - 5.0.12PyPI

pypi/trytond 5.0.0 - 5.0.46PyPI

tryton/proteus 5.0.0 - 5.0.12

tryton/trytond 5.0.0 - 5.0.46

Published Mar 10, 2022

Tracked Since Feb 18, 2026