CVE-2022-0217: XEE
It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data.
Reference:
https://prosody.im/security/advisory20220113.txt
Other sources
It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).
— MITRE
Affected Software
Remediation
Patch Available
Patch Available
Event History
Frequently Asked Questions
What is CVE-2022-0217?
CVE-2022-0217 is a vulnerability in Prosody that allows for expansion of recursive entity references from DTDs, which can be exploited by an attacker.
What is the severity of CVE-2022-0217?
The severity of CVE-2022-0217 is high, with a CVSS score of 7.5.
Which software is affected by CVE-2022-0217?
Prosody version up to exclusive 0.11.12 is affected by CVE-2022-0217.
How can CVE-2022-0217 be exploited?
CVE-2022-0217 can be exploited by providing suitable attacker input to trigger the expansion of recursive entity references from DTDs.
Where can I find more information about CVE-2022-0217?
You can find more information about CVE-2022-0217 in the following references: [Reference 1](https://bugzilla.redhat.com/show_bug.cgi?id=2040639), [Reference 2](https://prosody.im/security/advisory_20220113/), [Reference 3](https://prosody.im/security/advisory_20220113/1.patch)