An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server.
The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Proteus | Tryton | 5.0.0 (including) | 5.0.12 (excluding) |
| Proteus | Tryton | 6.0.0 (including) | 6.0.5 (excluding) |
| Proteus | Tryton | 6.2.0 (including) | 6.2.2 (excluding) |
| Trytond | Tryton | 5.0.0 (including) | 5.0.46 (excluding) |
| Trytond | Tryton | 6.0.0 (including) | 6.0.16 (excluding) |
| Trytond | Tryton | 6.2.0 (including) | 6.2.6 (excluding) |
| Tryton-proteus | Ubuntu | bionic | * |
| Tryton-proteus | Ubuntu | impish | * |
| Tryton-proteus | Ubuntu | kinetic | * |
| Tryton-proteus | Ubuntu | lunar | * |
| Tryton-proteus | Ubuntu | mantic | * |
| Tryton-proteus | Ubuntu | trusty | * |
| Tryton-proteus | Ubuntu | xenial | * |
| Tryton-server | Ubuntu | bionic | * |
| Tryton-server | Ubuntu | impish | * |
| Tryton-server | Ubuntu | kinetic | * |
| Tryton-server | Ubuntu | lunar | * |
| Tryton-server | Ubuntu | mantic | * |
| Tryton-server | Ubuntu | trusty | * |
| Tryton-server | Ubuntu | xenial | * |