DescriptionIt was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).
Overall state of this security issue: Resolved
This issue is currently rated as having important severity.
|National Vulnerability Database|
SUSE Security Advisories:
- openSUSE-SU-2022:0012-1, published Fri Jan 14 18:40:09 2022
List of released packages
|Product(s)||Fixed package version(s)||References|
|SUSE Package Hub 15 SP3|| ||Patchnames: |
|openSUSE Leap 15.3|| ||Patchnames: |
|openSUSE Tumbleweed|| ||Patchnames: |
openSUSE Tumbleweed GA prosody-0.11.12-1.1
SUSE Timeline for this CVECVE page created: Wed Jan 12 12:30:22 2022
CVE page last modified: Tue May 23 18:13:57 2023