CVE-2022-0217 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2022-0217 Interim 1 8 2023-09-06T23:38:02Z current 2022-01-14T02:11:45Z 2023-09-06T23:38:02Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2022-0217 It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T4AYNB4WRJM6UGUGE4MCR3AAVYPLM2PP/ E-Mail link for openSUSE-SU-2022:0012-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Package Hub 15 SP3 openSUSE Leap 15.3 openSUSE Tumbleweed prosody-0.11.12-1.1 prosody-0.11.12-bp153.2.12.1 prosody-0.11.12-bp153.2.12.1 as a component of SUSE Package Hub 15 SP3 prosody-0.11.12-bp153.2.12.1 as a component of openSUSE Leap 15.3 prosody-0.11.12-1.1 as a component of openSUSE Tumbleweed It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611). CVE-2022-0217 SUSE Package Hub 15 SP3:prosody-0.11.12-bp153.2.12.1 openSUSE Leap 15.3:prosody-0.11.12-bp153.2.12.1 openSUSE Tumbleweed:prosody-0.11.12-1.1 important 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H