It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).

The remote Debian 10 / 11 host has a package installed that is affected by a vulnerability as referenced in the dsa-5047 advisory.

    Matthew Wild discovered that the WebSockets code in Prosody, a lightweight Jabber/XMPP server, was     susceptible to denial of service. For the oldstable distribution (buster), this problem has been fixed in     version 0.11.2-1+deb10u3. For the stable distribution (bullseye), this problem has been fixed in version     0.11.9-2+deb11u1. We recommend that you upgrade your prosody packages. For the detailed security status of     prosody please refer to its security tracker page at: https://security-tracker.debian.org/tracker/prosody

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the e3ec8b30-757b-11ec-922f-654747404482 advisory.

  - It was discovered that an internal Prosody library to load XML based on libexpat does not properly     restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in     expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat     version used, it may also allow injections using XML External Entity References (CWE-611). (CVE-2022-0217)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has a package installed that is affected by a vulnerability as referenced in the openSUSE-SU-2022:0012-1 advisory.

  - It was discovered that an internal Prosody library to load XML based on libexpat does not properly     restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in     expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat     version used, it may also allow injections using XML External Entity References (CWE-611). (CVE-2022-0217)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
156768	Debian DSA-5047-1 : prosody - security update	Nessus	Debian Local Security Checks	high
156764	FreeBSD : Prosody XMPP server advisory 2022-01-13 (e3ec8b30-757b-11ec-922f-654747404482)	Nessus	FreeBSD Local Security Checks	high
156761	openSUSE 15 Security Update : prosody (openSUSE-SU-2022:0012-1)	Nessus	SuSE Local Security Checks	high

Detections

Analytics

CVE-2022-0217

high

Tenable Plugins

high

high

high