CVE-2022-26661 - Vulnerability Details - OpenCVE

An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Tryton	Proteus Trytond

Configuration 1 [-]

OR	cpe:2.3:a:tryton:proteus::::::::
	cpe:2.3:a:tryton:proteus::::::::
	cpe:2.3:a:tryton:proteus::::::::
	cpe:2.3:a:tryton:trytond::::::::
	cpe:2.3:a:tryton:trytond::::::::
	cpe:2.3:a:tryton:trytond::::::::

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

No data.

References

Link	Providers
https://bugs.tryton.org/issue11219
https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059
https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html
https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html
https://www.debian.org/security/2022/dsa-5098
https://www.debian.org/security/2022/dsa-5099

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-03-07T22:40:11

Updated: 2024-08-03T05:11:44.600Z

Reserved: 2022-03-07T00:00:00

Link: CVE-2022-26661

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-03-10T17:47:52.213

Modified: 2024-11-21T06:54:16.947

Link: CVE-2022-26661

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-03-11T14:06:17", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugs.tryton.org/issue11219"}, {"tags": ["x_refsource_MISC"], "url": "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059"}, {"name": "[debian-lts-announce] 20220310 [SECURITY] [DLA 2945-1] tryton-server security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html"}, {"name": "[debian-lts-announce] 20220311 [SECURITY] [DLA 2946-1] tryton-proteus security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html"}, {"name": "DSA-5098", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2022/dsa-5098"}, {"name": "DSA-5099", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2022/dsa-5099"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-26661", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://bugs.tryton.org/issue11219", "refsource": "MISC", "url": "https://bugs.tryton.org/issue11219"}, {"name": "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059", "refsource": "MISC", "url": "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059"}, {"name": "[debian-lts-announce] 20220310 [SECURITY] [DLA 2945-1] tryton-server security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html"}, {"name": "[debian-lts-announce] 20220311 [SECURITY] [DLA 2946-1] tryton-proteus security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html"}, {"name": "DSA-5098", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2022/dsa-5098"}, {"name": "DSA-5099", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2022/dsa-5099"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T05:11:44.600Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugs.tryton.org/issue11219"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059"}, {"name": "[debian-lts-announce] 20220310 [SECURITY] [DLA 2945-1] tryton-server security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html"}, {"name": "[debian-lts-announce] 20220311 [SECURITY] [DLA 2946-1] tryton-proteus security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html"}, {"name": "DSA-5098", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2022/dsa-5098"}, {"name": "DSA-5099", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2022/dsa-5099"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-26661", "datePublished": "2022-03-07T22:40:11", "dateReserved": "2022-03-07T00:00:00", "dateUpdated": "2024-08-03T05:11:44.600Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tryton:proteus:*:*:*:*:*:*:*:*", "matchCriteriaId": "1D19FC38-D40C-4A7C-99E3-42621FE4C431", "versionEndExcluding": "5.0.12", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:tryton:proteus:*:*:*:*:*:*:*:*", "matchCriteriaId": "BE9FF23A-193D-4259-8F56-210FFCFE9576", "versionEndExcluding": "6.0.5", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:tryton:proteus:*:*:*:*:*:*:*:*", "matchCriteriaId": "56DC449B-B042-4FDD-B7B7-9CFF27A008FE", "versionEndExcluding": "6.2.2", "versionStartIncluding": "6.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*", "matchCriteriaId": "BAC63578-DEAD-4070-9C57-18B57104F94B", "versionEndExcluding": "5.0.46", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*", "matchCriteriaId": "49798AD5-E1A7-46DE-B0AC-9F6BA201BBCB", "versionEndExcluding": "6.0.16", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*", "matchCriteriaId": "4FA10D50-8E3E-47F0-8C6A-F849F27B5F44", "versionEndExcluding": "6.2.6", "versionStartIncluding": "6.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system."}, {"lang": "es", "value": "Se ha detectado un problema de tipo XXE en Tryton Application Platform (Server) versiones 5.x hasta 5.0.45, versiones 6.x hasta 6.0.15, y versiones 6.1.x y 6.2.x hasta 6.2.5, y Tryton Application Platform (Command Line Client (proteus)) versiones 5.x hasta 5.0.11, versiones 6.x hasta 6.0.4, y versiones 6.1.x y 6.2.x hasta 6.2.1. Un usuario autenticado puede hacer que el servidor analice un archivo XML SEPA dise\u00f1ado para acceder a archivos arbitrarios en el sistema"}], "id": "CVE-2022-26661", "lastModified": "2024-11-21T06:54:16.947", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-10T17:47:52.213", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://bugs.tryton.org/issue11219"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5098"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5099"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://bugs.tryton.org/issue11219"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00016.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00017.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5098"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5099"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}