Description
An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server.
References (6)
Core 6
Core References
Vendor Advisory x_refsource_misc
https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059
Patch, Vendor Advisory x_refsource_misc
https://bugs.tryton.org/issue11244
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2022/dsa-5098
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2022/dsa-5099
Scores
CVSS v3
7.5
EPSS
0.0188
EPSS Percentile
76.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-776
Status
published
Products (7)
debian/debian_linux
9.0
debian/debian_linux
10.0
debian/debian_linux
11.0
pypi/proteus
5.0.0 - 5.0.12PyPI
pypi/trytond
5.0.0 - 5.0.46PyPI
tryton/proteus
5.0.0 - 5.0.12
tryton/trytond
5.0.0 - 5.0.46
Published
Mar 10, 2022
Tracked Since
Feb 18, 2026