Cyber Resilience

CVE-2022-26662

High

Published: 10 March 2022

Published
10 March 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0558 90.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-26662 is a high-severity XML Entity Expansion (CWE-776) vulnerability in Tryton Proteus. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 9.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

An XML Entity Expansion vulnerability, also known as XEE and tracked under CWE-776, affects the Tryton Application Platform Server in versions 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x through 6.2.5, along with the Command Line Client component proteus in corresponding version ranges. The flaw resides in the XML-RPC handling path and carries a CVSS 3.1 score of 7.5, reflecting network-accessible attack vector, low complexity, and high impact on availability.

An unauthenticated remote attacker can exploit the issue by submitting a specially crafted XML-RPC message that triggers uncontrolled entity expansion, exhausting server CPU and memory resources and resulting in denial of service.

Public advisories published by the Tryton project and Debian security teams, including references to issue 11244 and associated security releases, direct administrators to apply the corresponding patched versions of the server and client packages. The EPSS score for this CVE has remained at 0.0558 with no material increase observed since disclosure.

EU & UK References

Vulnerability details

An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and…

more

6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

tryton
proteus
5.0.0 — 5.0.12 · 6.0.0 — 6.0.5 · 6.2.0 — 6.2.2
tryton
trytond
5.0.0 — 5.0.46 · 6.0.0 — 6.0.16 · 6.2.0 — 6.2.6
debian
debian linux
10.0, 11.0, 9.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References