Search criteria
36 vulnerabilities found for prosody by prosody
VAR-202105-0755
Vulnerability from variot - Updated: 2024-08-14 13:03An issue was discovered in Prosody before 0.11.9. It does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker. Prosody Is vulnerable to a race condition.Information may be obtained. Prosodical Thoughts Prosody is an open source application system of Prosodical Thoughts. A modern XMPP communication server. Remote attackers can use this vulnerability to obtain sensitive information. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-15
https://security.gentoo.org/
Severity: Low Title: Prosŏdy IM: Multiple vulnerabilities Date: May 26, 2021 Bugs: #771144, #789969 ID: 202105-15
Synopsis
Multiple vulnerabilities have been found in Prosŏdy IM, the worst of which could result in a Denial of Service condition. It aims to be easy to set up and configure, and efficient with system resources.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-im/prosody < 0.11.9 >= 0.11.9
Description
Multiple vulnerabilities have been discovered in Prosŏdy IM. Please review the CVE identifiers referenced below for details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All Prosŏdy IM users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-im/prosody-0.11.9"
References
[ 1 ] CVE-2021-32917 https://nvd.nist.gov/vuln/detail/CVE-2021-32917 [ 2 ] CVE-2021-32918 https://nvd.nist.gov/vuln/detail/CVE-2021-32918 [ 3 ] CVE-2021-32919 https://nvd.nist.gov/vuln/detail/CVE-2021-32919 [ 4 ] CVE-2021-32920 https://nvd.nist.gov/vuln/detail/CVE-2021-32920 [ 5 ] CVE-2021-32921 https://nvd.nist.gov/vuln/detail/CVE-2021-32921
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202105-15
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
.
For the stable distribution (buster), these problems have been fixed in version 0.11.2-1+deb10u1.
We recommend that you upgrade your prosody packages.
For the detailed security status of prosody please refer to its security tracker page at: https://security-tracker.debian.org/tracker/prosody
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmCi0+8ACgkQEMKTtsN8 TjZnCg/+NZAMCpnKUqKs3vy7pZkXJXgCmCQgs3TYMXPGty3GuhjCO6Ao2sLnb0OE Jh6QBpgUmGknhMEuU6wbscBK8oMUEkVvvrlFv1sjp8yHwqQ65KkZvnNNbOsVBFXB Yy/aQzk8bYe601ZLXLR29IBVGPUA9+rjUXMqeBNok5LyEQW00yhe/WOOf8UqU7Ly NteRRmc8aR3WL392EVChvKNtVftC+5n6CtegXwzD+OQYCWFEmKbo449ySQJDHHfY oWvQBH9mk+lrfrRgIXqqZ9zFCEAg1cRaUQc0EBLkHFmRbHWCk/Ybk7mUm0dc3BFv OdOHYR3+IHedOjhuBaDnbexffQaVpP8G8/av9Hpzu+SRbmlDVRNfzrtG6M3k3SGn S9j7ah/uxsmuwYXQ4gjnYAhlpRDRkswpms22fZr4wEWRy17LgIIWQh1zIwii3s+U M1uMhU56F0jjZ/X+SGhIdUIKhcKIv+vPbxlBM700T3VLDhpoWhd4+K6JZFcXhMeT mIv12dghuHXwNp9ONw3kC946CLIMcerRqI1eB13f0XZw//+IcqBMPR6PzSkxqRdA KxEOPLzipHNtnNTo/RevUyI1hbi1eWW0QT/sLtuhFSzQUtOW0EFf8ZxJFHBaADeu vBvc9XewmRRGPpwXj42GaYZ/5c7VE3hiMEvdhFimSt666MnwhKg= =miBj -----END PGP SIGNATURE-----
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202105-0755",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "34"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "32"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "9.0"
},
{
"model": "prosody",
"scope": "lt",
"trust": 1.0,
"vendor": "prosody",
"version": "0.11.9"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "33"
},
{
"model": "fedora",
"scope": null,
"trust": 0.8,
"vendor": "fedora",
"version": null
},
{
"model": "prosody",
"scope": null,
"trust": 0.8,
"vendor": "the prosody team",
"version": null
},
{
"model": "gnu/linux",
"scope": null,
"trust": 0.8,
"vendor": "debian",
"version": null
},
{
"model": "prosody",
"scope": "eq",
"trust": 0.6,
"vendor": "prosody",
"version": "0.11.9"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-47380"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006911"
},
{
"db": "NVD",
"id": "CVE-2021-32921"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Gentoo",
"sources": [
{
"db": "PACKETSTORM",
"id": "162828"
}
],
"trust": 0.1
},
"cve": "CVE-2021-32921",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CVE-2021-32921",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.9,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CNVD-2021-47380",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.2,
"id": "CVE-2021-32921",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "High",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.9,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2021-32921",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2021-32921",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2021-32921",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNVD",
"id": "CNVD-2021-47380",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202105-841",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2021-32921",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-47380"
},
{
"db": "VULMON",
"id": "CVE-2021-32921"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006911"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-841"
},
{
"db": "NVD",
"id": "CVE-2021-32921"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered in Prosody before 0.11.9. It does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker. Prosody Is vulnerable to a race condition.Information may be obtained. Prosodical Thoughts Prosody is an open source application system of Prosodical Thoughts. A modern XMPP communication server. Remote attackers can use this vulnerability to obtain sensitive information. Pillow is a Python-based image processing library. \nThere is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 202105-15\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Low\n Title: Pros\u014fdy IM: Multiple vulnerabilities\n Date: May 26, 2021\n Bugs: #771144, #789969\n ID: 202105-15\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities have been found in Pros\u014fdy IM, the worst of\nwhich could result in a Denial of Service condition. It aims to be easy to\nset up and configure, and efficient with system resources. \n\nAffected packages\n=================\n\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 net-im/prosody \u003c 0.11.9 \u003e= 0.11.9\n\nDescription\n===========\n\nMultiple vulnerabilities have been discovered in Pros\u014fdy IM. Please\nreview the CVE identifiers referenced below for details. \n\nImpact\n======\n\nPlease review the referenced CVE identifiers for details. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll Pros\u014fdy IM users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=net-im/prosody-0.11.9\"\n\nReferences\n==========\n\n[ 1 ] CVE-2021-32917\n https://nvd.nist.gov/vuln/detail/CVE-2021-32917\n[ 2 ] CVE-2021-32918\n https://nvd.nist.gov/vuln/detail/CVE-2021-32918\n[ 3 ] CVE-2021-32919\n https://nvd.nist.gov/vuln/detail/CVE-2021-32919\n[ 4 ] CVE-2021-32920\n https://nvd.nist.gov/vuln/detail/CVE-2021-32920\n[ 5 ] CVE-2021-32921\n https://nvd.nist.gov/vuln/detail/CVE-2021-32921\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/202105-15\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2021 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n\n. \n\nFor the stable distribution (buster), these problems have been fixed in\nversion 0.11.2-1+deb10u1. \n\nWe recommend that you upgrade your prosody packages. \n\nFor the detailed security status of prosody please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/prosody\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmCi0+8ACgkQEMKTtsN8\nTjZnCg/+NZAMCpnKUqKs3vy7pZkXJXgCmCQgs3TYMXPGty3GuhjCO6Ao2sLnb0OE\nJh6QBpgUmGknhMEuU6wbscBK8oMUEkVvvrlFv1sjp8yHwqQ65KkZvnNNbOsVBFXB\nYy/aQzk8bYe601ZLXLR29IBVGPUA9+rjUXMqeBNok5LyEQW00yhe/WOOf8UqU7Ly\nNteRRmc8aR3WL392EVChvKNtVftC+5n6CtegXwzD+OQYCWFEmKbo449ySQJDHHfY\noWvQBH9mk+lrfrRgIXqqZ9zFCEAg1cRaUQc0EBLkHFmRbHWCk/Ybk7mUm0dc3BFv\nOdOHYR3+IHedOjhuBaDnbexffQaVpP8G8/av9Hpzu+SRbmlDVRNfzrtG6M3k3SGn\nS9j7ah/uxsmuwYXQ4gjnYAhlpRDRkswpms22fZr4wEWRy17LgIIWQh1zIwii3s+U\nM1uMhU56F0jjZ/X+SGhIdUIKhcKIv+vPbxlBM700T3VLDhpoWhd4+K6JZFcXhMeT\nmIv12dghuHXwNp9ONw3kC946CLIMcerRqI1eB13f0XZw//+IcqBMPR6PzSkxqRdA\nKxEOPLzipHNtnNTo/RevUyI1hbi1eWW0QT/sLtuhFSzQUtOW0EFf8ZxJFHBaADeu\nvBvc9XewmRRGPpwXj42GaYZ/5c7VE3hiMEvdhFimSt666MnwhKg=\n=miBj\n-----END PGP SIGNATURE-----\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-32921"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006911"
},
{
"db": "CNVD",
"id": "CNVD-2021-47380"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "VULMON",
"id": "CVE-2021-32921"
},
{
"db": "PACKETSTORM",
"id": "162828"
},
{
"db": "PACKETSTORM",
"id": "169060"
}
],
"trust": 2.97
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-32921",
"trust": 4.1
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2021/05/14/2",
"trust": 2.3
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2021/05/13/1",
"trust": 1.7
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006911",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "162828",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2021-47380",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021041363",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021051714",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021052610",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021051924",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.2143",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.1668",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202105-841",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2021-32921",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "169060",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-47380"
},
{
"db": "VULMON",
"id": "CVE-2021-32921"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006911"
},
{
"db": "PACKETSTORM",
"id": "162828"
},
{
"db": "PACKETSTORM",
"id": "169060"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-841"
},
{
"db": "NVD",
"id": "CVE-2021-32921"
}
]
},
"id": "VAR-202105-0755",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-47380"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-47380"
}
]
},
"last_update_date": "2024-08-14T13:03:37.608000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "FEDORA-2021-a33f6e36e1 The\u00a0Prosody\u00a0TeamProsody",
"trust": 0.8,
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html"
},
{
"title": "Patch for Prosodical Thoughts Prosody has unspecified vulnerabilities",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/276796"
},
{
"title": "Prosodical Thoughts Prosody Repair measures for the competition condition problem loophole",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=151579"
},
{
"title": "Debian CVElist Bug Report Logs: prosody: CVE-2021-32917 CVE-2021-32918 CVE-2021-32919 CVE-2021-32920 CVE-2021-32921",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=7e41f41000c2cab381645f71a452e062"
},
{
"title": "Debian Security Advisories: DSA-4916-1 prosody -- security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=4c6e99d47bcacbd4d7778a12ef9e2dd1"
},
{
"title": "Arch Linux Issues: ",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues\u0026qid=CVE-2021-32921 log"
},
{
"title": "Arch Linux Advisories: [ASA-202105-11] prosody: multiple issues",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories\u0026qid=ASA-202105-11"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-47380"
},
{
"db": "VULMON",
"id": "CVE-2021-32921"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006911"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-841"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-362",
"trust": 1.0
},
{
"problemtype": "Race condition (CWE-362) [NVD Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-006911"
},
{
"db": "NVD",
"id": "CVE-2021-32921"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.3,
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"trust": 1.8,
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"trust": 1.7,
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"trust": 1.7,
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"trust": 1.7,
"url": "https://security.gentoo.org/glsa/202105-15"
},
{
"trust": 1.6,
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html"
},
{
"trust": 1.0,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-32921"
},
{
"trust": 1.0,
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00018.html"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6mffbzwxkpzevznqsvjncue7wrf3t7dg/"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/gun63ahewb2wrrojhu3bvjrwlonct2b7/"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/lwj2dg2dfjoefewoun26imyywgsa2zee/"
},
{
"trust": 0.7,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6mffbzwxkpzevznqsvjncue7wrf3t7dg/"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021041363"
},
{
"trust": 0.6,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/gun63ahewb2wrrojhu3bvjrwlonct2b7/"
},
{
"trust": 0.6,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/lwj2dg2dfjoefewoun26imyywgsa2zee/"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021052610"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.2143"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/162828/gentoo-linux-security-advisory-202105-15.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.1668"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021051924"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021051714"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-32918"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-32917"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-32919"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-32920"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/362.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988668"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
},
{
"trust": 0.1,
"url": "https://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "https://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/faq"
},
{
"trust": 0.1,
"url": "https://security-tracker.debian.org/tracker/prosody"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-47380"
},
{
"db": "VULMON",
"id": "CVE-2021-32921"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006911"
},
{
"db": "PACKETSTORM",
"id": "162828"
},
{
"db": "PACKETSTORM",
"id": "169060"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-841"
},
{
"db": "NVD",
"id": "CVE-2021-32921"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2021-47380"
},
{
"db": "VULMON",
"id": "CVE-2021-32921"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006911"
},
{
"db": "PACKETSTORM",
"id": "162828"
},
{
"db": "PACKETSTORM",
"id": "169060"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-841"
},
{
"db": "NVD",
"id": "CVE-2021-32921"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-05-18T00:00:00",
"db": "CNVD",
"id": "CNVD-2021-47380"
},
{
"date": "2021-05-13T00:00:00",
"db": "VULMON",
"id": "CVE-2021-32921"
},
{
"date": "2022-01-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-006911"
},
{
"date": "2021-05-26T17:51:36",
"db": "PACKETSTORM",
"id": "162828"
},
{
"date": "2021-05-28T19:12:00",
"db": "PACKETSTORM",
"id": "169060"
},
{
"date": "2021-04-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2021-05-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202105-841"
},
{
"date": "2021-05-13T16:15:08.407000",
"db": "NVD",
"id": "CVE-2021-32921"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-07-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2021-47380"
},
{
"date": "2021-05-22T00:00:00",
"db": "VULMON",
"id": "CVE-2021-32921"
},
{
"date": "2022-01-25T07:26:00",
"db": "JVNDB",
"id": "JVNDB-2021-006911"
},
{
"date": "2021-04-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2021-06-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202105-841"
},
{
"date": "2023-11-07T03:35:45.450000",
"db": "NVD",
"id": "CVE-2021-32921"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202105-841"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Prosody\u00a0 Race Vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-006911"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
}
],
"trust": 0.6
}
}
VAR-202105-0754
Vulnerability from variot - Updated: 2024-08-14 12:28Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests. Prosody Is vulnerable to a resource exhaustion.Denial of service (DoS) It may be put into a state. Prosodical Thoughts Prosody is an open source application system of Prosodical Thoughts. A modern XMPP communication server.
There were security vulnerabilities before Prosody 0.11.9. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-15
https://security.gentoo.org/
Severity: Low Title: Prosŏdy IM: Multiple vulnerabilities Date: May 26, 2021 Bugs: #771144, #789969 ID: 202105-15
Synopsis
Multiple vulnerabilities have been found in Prosŏdy IM, the worst of which could result in a Denial of Service condition. It aims to be easy to set up and configure, and efficient with system resources.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-im/prosody < 0.11.9 >= 0.11.9
Description
Multiple vulnerabilities have been discovered in Prosŏdy IM. Please review the CVE identifiers referenced below for details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All Prosŏdy IM users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-im/prosody-0.11.9"
References
[ 1 ] CVE-2021-32917 https://nvd.nist.gov/vuln/detail/CVE-2021-32917 [ 2 ] CVE-2021-32918 https://nvd.nist.gov/vuln/detail/CVE-2021-32918 [ 3 ] CVE-2021-32919 https://nvd.nist.gov/vuln/detail/CVE-2021-32919 [ 4 ] CVE-2021-32920 https://nvd.nist.gov/vuln/detail/CVE-2021-32920 [ 5 ] CVE-2021-32921 https://nvd.nist.gov/vuln/detail/CVE-2021-32921
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202105-15
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
.
For the stable distribution (buster), these problems have been fixed in version 0.11.2-1+deb10u1.
We recommend that you upgrade your prosody packages.
For the detailed security status of prosody please refer to its security tracker page at: https://security-tracker.debian.org/tracker/prosody
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmCi0+8ACgkQEMKTtsN8 TjZnCg/+NZAMCpnKUqKs3vy7pZkXJXgCmCQgs3TYMXPGty3GuhjCO6Ao2sLnb0OE Jh6QBpgUmGknhMEuU6wbscBK8oMUEkVvvrlFv1sjp8yHwqQ65KkZvnNNbOsVBFXB Yy/aQzk8bYe601ZLXLR29IBVGPUA9+rjUXMqeBNok5LyEQW00yhe/WOOf8UqU7Ly NteRRmc8aR3WL392EVChvKNtVftC+5n6CtegXwzD+OQYCWFEmKbo449ySQJDHHfY oWvQBH9mk+lrfrRgIXqqZ9zFCEAg1cRaUQc0EBLkHFmRbHWCk/Ybk7mUm0dc3BFv OdOHYR3+IHedOjhuBaDnbexffQaVpP8G8/av9Hpzu+SRbmlDVRNfzrtG6M3k3SGn S9j7ah/uxsmuwYXQ4gjnYAhlpRDRkswpms22fZr4wEWRy17LgIIWQh1zIwii3s+U M1uMhU56F0jjZ/X+SGhIdUIKhcKIv+vPbxlBM700T3VLDhpoWhd4+K6JZFcXhMeT mIv12dghuHXwNp9ONw3kC946CLIMcerRqI1eB13f0XZw//+IcqBMPR6PzSkxqRdA KxEOPLzipHNtnNTo/RevUyI1hbi1eWW0QT/sLtuhFSzQUtOW0EFf8ZxJFHBaADeu vBvc9XewmRRGPpwXj42GaYZ/5c7VE3hiMEvdhFimSt666MnwhKg= =miBj -----END PGP SIGNATURE-----
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202105-0754",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "34"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "32"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "10.0"
},
{
"model": "prosody",
"scope": "lt",
"trust": 1.0,
"vendor": "prosody",
"version": "0.11.9"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "33"
},
{
"model": "fedora",
"scope": null,
"trust": 0.8,
"vendor": "fedora",
"version": null
},
{
"model": "prosody",
"scope": null,
"trust": 0.8,
"vendor": "the prosody team",
"version": null
},
{
"model": "gnu/linux",
"scope": null,
"trust": 0.8,
"vendor": "debian",
"version": null
},
{
"model": "prosody",
"scope": "eq",
"trust": 0.6,
"vendor": "prosody",
"version": "0.11.9"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-47381"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006910"
},
{
"db": "NVD",
"id": "CVE-2021-32920"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Gentoo",
"sources": [
{
"db": "PACKETSTORM",
"id": "162828"
}
],
"trust": 0.1
},
"cve": "CVE-2021-32920",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CVE-2021-32920",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "HIGH",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CNVD-2021-47381",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "CVE-2021-32920",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2021-32920",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2021-32920",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2021-32920",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2021-47381",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202105-840",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2021-32920",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-47381"
},
{
"db": "VULMON",
"id": "CVE-2021-32920"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006910"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-840"
},
{
"db": "NVD",
"id": "CVE-2021-32920"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests. Prosody Is vulnerable to a resource exhaustion.Denial of service (DoS) It may be put into a state. Prosodical Thoughts Prosody is an open source application system of Prosodical Thoughts. A modern XMPP communication server. \n\r\n\r\nThere were security vulnerabilities before Prosody 0.11.9. Pillow is a Python-based image processing library. \nThere is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 202105-15\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Low\n Title: Pros\u014fdy IM: Multiple vulnerabilities\n Date: May 26, 2021\n Bugs: #771144, #789969\n ID: 202105-15\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities have been found in Pros\u014fdy IM, the worst of\nwhich could result in a Denial of Service condition. It aims to be easy to\nset up and configure, and efficient with system resources. \n\nAffected packages\n=================\n\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 net-im/prosody \u003c 0.11.9 \u003e= 0.11.9\n\nDescription\n===========\n\nMultiple vulnerabilities have been discovered in Pros\u014fdy IM. Please\nreview the CVE identifiers referenced below for details. \n\nImpact\n======\n\nPlease review the referenced CVE identifiers for details. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll Pros\u014fdy IM users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=net-im/prosody-0.11.9\"\n\nReferences\n==========\n\n[ 1 ] CVE-2021-32917\n https://nvd.nist.gov/vuln/detail/CVE-2021-32917\n[ 2 ] CVE-2021-32918\n https://nvd.nist.gov/vuln/detail/CVE-2021-32918\n[ 3 ] CVE-2021-32919\n https://nvd.nist.gov/vuln/detail/CVE-2021-32919\n[ 4 ] CVE-2021-32920\n https://nvd.nist.gov/vuln/detail/CVE-2021-32920\n[ 5 ] CVE-2021-32921\n https://nvd.nist.gov/vuln/detail/CVE-2021-32921\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/202105-15\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2021 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n\n. \n\nFor the stable distribution (buster), these problems have been fixed in\nversion 0.11.2-1+deb10u1. \n\nWe recommend that you upgrade your prosody packages. \n\nFor the detailed security status of prosody please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/prosody\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmCi0+8ACgkQEMKTtsN8\nTjZnCg/+NZAMCpnKUqKs3vy7pZkXJXgCmCQgs3TYMXPGty3GuhjCO6Ao2sLnb0OE\nJh6QBpgUmGknhMEuU6wbscBK8oMUEkVvvrlFv1sjp8yHwqQ65KkZvnNNbOsVBFXB\nYy/aQzk8bYe601ZLXLR29IBVGPUA9+rjUXMqeBNok5LyEQW00yhe/WOOf8UqU7Ly\nNteRRmc8aR3WL392EVChvKNtVftC+5n6CtegXwzD+OQYCWFEmKbo449ySQJDHHfY\noWvQBH9mk+lrfrRgIXqqZ9zFCEAg1cRaUQc0EBLkHFmRbHWCk/Ybk7mUm0dc3BFv\nOdOHYR3+IHedOjhuBaDnbexffQaVpP8G8/av9Hpzu+SRbmlDVRNfzrtG6M3k3SGn\nS9j7ah/uxsmuwYXQ4gjnYAhlpRDRkswpms22fZr4wEWRy17LgIIWQh1zIwii3s+U\nM1uMhU56F0jjZ/X+SGhIdUIKhcKIv+vPbxlBM700T3VLDhpoWhd4+K6JZFcXhMeT\nmIv12dghuHXwNp9ONw3kC946CLIMcerRqI1eB13f0XZw//+IcqBMPR6PzSkxqRdA\nKxEOPLzipHNtnNTo/RevUyI1hbi1eWW0QT/sLtuhFSzQUtOW0EFf8ZxJFHBaADeu\nvBvc9XewmRRGPpwXj42GaYZ/5c7VE3hiMEvdhFimSt666MnwhKg=\n=miBj\n-----END PGP SIGNATURE-----\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-32920"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006910"
},
{
"db": "CNVD",
"id": "CNVD-2021-47381"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "VULMON",
"id": "CVE-2021-32920"
},
{
"db": "PACKETSTORM",
"id": "162828"
},
{
"db": "PACKETSTORM",
"id": "169060"
}
],
"trust": 2.97
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-32920",
"trust": 4.1
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2021/05/14/2",
"trust": 2.3
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2021/05/13/1",
"trust": 1.7
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006910",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "162828",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2021-47381",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021041363",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021052610",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021051924",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021051714",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.1668",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202105-840",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2021-32920",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "169060",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-47381"
},
{
"db": "VULMON",
"id": "CVE-2021-32920"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006910"
},
{
"db": "PACKETSTORM",
"id": "162828"
},
{
"db": "PACKETSTORM",
"id": "169060"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-840"
},
{
"db": "NVD",
"id": "CVE-2021-32920"
}
]
},
"id": "VAR-202105-0754",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-47381"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-47381"
}
]
},
"last_update_date": "2024-08-14T12:28:06.548000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Prosody\u00a00.11.9\u00a0released",
"trust": 0.8,
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"title": "Patch for Prosodical Thoughts Prosody Resource Management Error Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/276801"
},
{
"title": "Prosodical Thoughts Prosody Remediation of resource management error vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=151578"
},
{
"title": "Debian CVElist Bug Report Logs: prosody: CVE-2021-32917 CVE-2021-32918 CVE-2021-32919 CVE-2021-32920 CVE-2021-32921",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=7e41f41000c2cab381645f71a452e062"
},
{
"title": "Debian Security Advisories: DSA-4916-1 prosody -- security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=4c6e99d47bcacbd4d7778a12ef9e2dd1"
},
{
"title": "Arch Linux Issues: ",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues\u0026qid=CVE-2021-32920 log"
},
{
"title": "Arch Linux Advisories: [ASA-202105-11] prosody: multiple issues",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories\u0026qid=ASA-202105-11"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-47381"
},
{
"db": "VULMON",
"id": "CVE-2021-32920"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006910"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-840"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
},
{
"problemtype": "Resource exhaustion (CWE-400) [NVD Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-006910"
},
{
"db": "NVD",
"id": "CVE-2021-32920"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.3,
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"trust": 1.8,
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"trust": 1.7,
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"trust": 1.7,
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"trust": 1.7,
"url": "https://security.gentoo.org/glsa/202105-15"
},
{
"trust": 1.0,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-32920"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6mffbzwxkpzevznqsvjncue7wrf3t7dg/"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/gun63ahewb2wrrojhu3bvjrwlonct2b7/"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/lwj2dg2dfjoefewoun26imyywgsa2zee/"
},
{
"trust": 0.7,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6mffbzwxkpzevznqsvjncue7wrf3t7dg/"
},
{
"trust": 0.7,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/lwj2dg2dfjoefewoun26imyywgsa2zee/"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021041363"
},
{
"trust": 0.6,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/gun63ahewb2wrrojhu3bvjrwlonct2b7/"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/prosody-four-vulnerabilities-35422"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021052610"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/162828/gentoo-linux-security-advisory-202105-15.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.1668"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021051924"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021051714"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-32918"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-32917"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-32919"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-32921"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/400.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988668"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
},
{
"trust": 0.1,
"url": "https://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "https://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/faq"
},
{
"trust": 0.1,
"url": "https://security-tracker.debian.org/tracker/prosody"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-47381"
},
{
"db": "VULMON",
"id": "CVE-2021-32920"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006910"
},
{
"db": "PACKETSTORM",
"id": "162828"
},
{
"db": "PACKETSTORM",
"id": "169060"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-840"
},
{
"db": "NVD",
"id": "CVE-2021-32920"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2021-47381"
},
{
"db": "VULMON",
"id": "CVE-2021-32920"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006910"
},
{
"db": "PACKETSTORM",
"id": "162828"
},
{
"db": "PACKETSTORM",
"id": "169060"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-840"
},
{
"db": "NVD",
"id": "CVE-2021-32920"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-07-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2021-47381"
},
{
"date": "2021-05-13T00:00:00",
"db": "VULMON",
"id": "CVE-2021-32920"
},
{
"date": "2022-01-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-006910"
},
{
"date": "2021-05-26T17:51:36",
"db": "PACKETSTORM",
"id": "162828"
},
{
"date": "2021-05-28T19:12:00",
"db": "PACKETSTORM",
"id": "169060"
},
{
"date": "2021-04-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2021-05-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202105-840"
},
{
"date": "2021-05-13T16:15:08.377000",
"db": "NVD",
"id": "CVE-2021-32920"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-07-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2021-47381"
},
{
"date": "2021-05-22T00:00:00",
"db": "VULMON",
"id": "CVE-2021-32920"
},
{
"date": "2022-01-25T07:26:00",
"db": "JVNDB",
"id": "JVNDB-2021-006910"
},
{
"date": "2021-04-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2022-07-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202105-840"
},
{
"date": "2023-11-07T03:35:45.367000",
"db": "NVD",
"id": "CVE-2021-32920"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202105-840"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Prosody\u00a0 Resource Depletion Vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-006910"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-840"
}
],
"trust": 1.2
}
}
CVE-2022-0217 (GCVE-0-2022-0217)
Vulnerability from nvd – Published: 2022-08-26 17:25 – Updated: 2024-08-02 23:18
VLAI?
Summary
It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).
Severity ?
No CVSS data available.
CWE
- CWE-776 - - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion'), CWE-20 - Improper Input Validation.
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:42.807Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040639"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://prosody.im/security/advisory_20220113/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://prosody.im/security/advisory_20220113/1.patch"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "prosody",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in prosody 0.11.12, Affects all versions with support for WebSockets."
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611)."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-776",
"description": "CWE-776 - Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027), CWE-20 - Improper Input Validation.",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-26T17:25:47",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040639"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://prosody.im/security/advisory_20220113/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://prosody.im/security/advisory_20220113/1.patch"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2022-0217",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "prosody",
"version": {
"version_data": [
{
"version_value": "Fixed in prosody 0.11.12, Affects all versions with support for WebSockets."
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-776 - Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027), CWE-20 - Improper Input Validation."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=2040639",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040639"
},
{
"name": "https://prosody.im/security/advisory_20220113/",
"refsource": "MISC",
"url": "https://prosody.im/security/advisory_20220113/"
},
{
"name": "https://prosody.im/security/advisory_20220113/1.patch",
"refsource": "MISC",
"url": "https://prosody.im/security/advisory_20220113/1.patch"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2022-0217",
"datePublished": "2022-08-26T17:25:47",
"dateReserved": "2022-01-13T00:00:00",
"dateUpdated": "2024-08-02T23:18:42.807Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-37601 (GCVE-0-2021-37601)
Vulnerability from nvd – Published: 2021-07-28 13:52 – Updated: 2024-08-04 01:23
VLAI?
Summary
muc.lib.lua in Prosody 0.11.0 through 0.11.9 allows remote attackers to obtain sensitive information (list of admins, members, owners, and banned entities of a Multi-User chat room) in some common configurations.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:23:01.400Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://prosody.im/security/advisory_20210722/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://prosody.im/"
},
{
"name": "[oss-security] 20210728 Re: Prosody XMPP server advisory 2021-07-22 (Remote Information Disclosure) (CVE-2021-37601)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/07/28/4"
},
{
"name": "FEDORA-2021-1d574ae400",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EMKIOEP2CYWHVVUCNWISPE4AGH4IR7O2/"
},
{
"name": "FEDORA-2021-fe9513e089",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7BZRRPCNOETB4MN4XSYPRBBKDIHO27DY/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "muc.lib.lua in Prosody 0.11.0 through 0.11.9 allows remote attackers to obtain sensitive information (list of admins, members, owners, and banned entities of a Multi-User chat room) in some common configurations."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:U/UI:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-12T02:06:11",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://prosody.im/security/advisory_20210722/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://prosody.im/"
},
{
"name": "[oss-security] 20210728 Re: Prosody XMPP server advisory 2021-07-22 (Remote Information Disclosure) (CVE-2021-37601)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/07/28/4"
},
{
"name": "FEDORA-2021-1d574ae400",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EMKIOEP2CYWHVVUCNWISPE4AGH4IR7O2/"
},
{
"name": "FEDORA-2021-fe9513e089",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7BZRRPCNOETB4MN4XSYPRBBKDIHO27DY/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-37601",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "muc.lib.lua in Prosody 0.11.0 through 0.11.9 allows remote attackers to obtain sensitive information (list of admins, members, owners, and banned entities of a Multi-User chat room) in some common configurations."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:U/UI:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://prosody.im/security/advisory_20210722/",
"refsource": "MISC",
"url": "https://prosody.im/security/advisory_20210722/"
},
{
"name": "https://prosody.im/",
"refsource": "MISC",
"url": "https://prosody.im/"
},
{
"name": "[oss-security] 20210728 Re: Prosody XMPP server advisory 2021-07-22 (Remote Information Disclosure) (CVE-2021-37601)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/07/28/4"
},
{
"name": "FEDORA-2021-1d574ae400",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EMKIOEP2CYWHVVUCNWISPE4AGH4IR7O2/"
},
{
"name": "FEDORA-2021-fe9513e089",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7BZRRPCNOETB4MN4XSYPRBBKDIHO27DY/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-37601",
"datePublished": "2021-07-28T13:52:17",
"dateReserved": "2021-07-28T00:00:00",
"dateUpdated": "2024-08-04T01:23:01.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32921 (GCVE-0-2021-32921)
Vulnerability from nvd – Published: 2021-05-13 15:14 – Updated: 2024-08-03 23:33
VLAI?
Summary
An issue was discovered in Prosody before 0.11.9. It does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:56.162Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202105-15"
},
{
"name": "[debian-lts-announce] 20210616 [SECURITY] [DLA 2687-1] prosody security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html"
},
{
"name": "[debian-lts-announce] 20210619 [SECURITY] [DLA 2687-2] prosody regression update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00018.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Prosody before 0.11.9. It does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-19T08:06:18",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.gentoo.org/glsa/202105-15"
},
{
"name": "[debian-lts-announce] 20210616 [SECURITY] [DLA 2687-1] prosody security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html"
},
{
"name": "[debian-lts-announce] 20210619 [SECURITY] [DLA 2687-2] prosody regression update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00018.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-32921",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Prosody before 0.11.9. It does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.prosody.im/prosody-0.11.9-released/",
"refsource": "MISC",
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"name": "https://security.gentoo.org/glsa/202105-15",
"refsource": "MISC",
"url": "https://security.gentoo.org/glsa/202105-15"
},
{
"name": "[debian-lts-announce] 20210616 [SECURITY] [DLA 2687-1] prosody security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html"
},
{
"name": "[debian-lts-announce] 20210619 [SECURITY] [DLA 2687-2] prosody regression update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00018.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-32921",
"datePublished": "2021-05-13T15:14:43",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:33:56.162Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32920 (GCVE-0-2021-32920)
Vulnerability from nvd – Published: 2021-05-13 15:14 – Updated: 2024-08-03 23:33
VLAI?
Summary
Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:55.924Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202105-15"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-26T10:06:14",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.gentoo.org/glsa/202105-15"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-32920",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.prosody.im/prosody-0.11.9-released/",
"refsource": "MISC",
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"name": "https://security.gentoo.org/glsa/202105-15",
"refsource": "MISC",
"url": "https://security.gentoo.org/glsa/202105-15"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-32920",
"datePublished": "2021-05-13T15:14:14",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:33:55.924Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32919 (GCVE-0-2021-32919)
Vulnerability from nvd – Published: 2021-05-13 15:12 – Updated: 2024-08-03 23:33
VLAI?
Summary
An issue was discovered in Prosody before 0.11.9. The undocumented dialback_without_dialback option in mod_dialback enables an experimental feature for server-to-server authentication. It does not correctly authenticate remote server certificates, allowing a remote server to impersonate another server (when this option is enabled).
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:55.965Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202105-15"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Prosody before 0.11.9. The undocumented dialback_without_dialback option in mod_dialback enables an experimental feature for server-to-server authentication. It does not correctly authenticate remote server certificates, allowing a remote server to impersonate another server (when this option is enabled)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-26T10:06:14",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.gentoo.org/glsa/202105-15"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-32919",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Prosody before 0.11.9. The undocumented dialback_without_dialback option in mod_dialback enables an experimental feature for server-to-server authentication. It does not correctly authenticate remote server certificates, allowing a remote server to impersonate another server (when this option is enabled)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.prosody.im/prosody-0.11.9-released/",
"refsource": "MISC",
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"name": "https://security.gentoo.org/glsa/202105-15",
"refsource": "MISC",
"url": "https://security.gentoo.org/glsa/202105-15"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-32919",
"datePublished": "2021-05-13T15:12:19",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:33:55.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32918 (GCVE-0-2021-32918)
Vulnerability from nvd – Published: 2021-05-13 15:11 – Updated: 2024-08-03 23:33
VLAI?
Summary
An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:55.925Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202105-15"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-26T10:06:13",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.gentoo.org/glsa/202105-15"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-32918",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.prosody.im/prosody-0.11.9-released/",
"refsource": "MISC",
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"name": "https://security.gentoo.org/glsa/202105-15",
"refsource": "MISC",
"url": "https://security.gentoo.org/glsa/202105-15"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-32918",
"datePublished": "2021-05-13T15:11:50",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:33:55.925Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32917 (GCVE-0-2021-32917)
Vulnerability from nvd – Published: 2021-05-13 15:10 – Updated: 2024-08-03 23:33
VLAI?
Summary
An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:55.863Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202105-15"
},
{
"name": "[debian-lts-announce] 20210616 [SECURITY] [DLA 2687-1] prosody security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server\u0027s bandwidth."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-16T06:06:34",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.gentoo.org/glsa/202105-15"
},
{
"name": "[debian-lts-announce] 20210616 [SECURITY] [DLA 2687-1] prosody security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-32917",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server\u0027s bandwidth."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.prosody.im/prosody-0.11.9-released/",
"refsource": "MISC",
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"name": "https://security.gentoo.org/glsa/202105-15",
"refsource": "MISC",
"url": "https://security.gentoo.org/glsa/202105-15"
},
{
"name": "[debian-lts-announce] 20210616 [SECURITY] [DLA 2687-1] prosody security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-32917",
"datePublished": "2021-05-13T15:10:56",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:33:55.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-10847 (GCVE-0-2018-10847)
Vulnerability from nvd – Published: 2018-07-30 16:00 – Updated: 2024-08-05 07:46
VLAI?
Summary
prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Prosody did not verify that the virtual host associated with a user session remained the same across stream restarts. A user may authenticate to XMPP host A and migrate their authenticated session to XMPP host B of the same Prosody instance.
Severity ?
4.2 (Medium)
CWE
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:46:47.419Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.prosody.im/1147"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.prosody.im/prosody-0-10-2-security-release/"
},
{
"name": "DSA-4216",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4216"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10847"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://prosody.im/security/advisory_20180531/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "prosody",
"vendor": "[UNKNOWN]",
"versions": [
{
"status": "affected",
"version": "0.10.2"
},
{
"status": "affected",
"version": "0.9.14"
}
]
}
],
"datePublic": "2018-05-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Prosody did not verify that the virtual host associated with a user session remained the same across stream restarts. A user may authenticate to XMPP host A and migrate their authenticated session to XMPP host B of the same Prosody instance."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-592",
"description": "CWE-592",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-31T09:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.prosody.im/1147"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.prosody.im/prosody-0-10-2-security-release/"
},
{
"name": "DSA-4216",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4216"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10847"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://prosody.im/security/advisory_20180531/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2018-10847",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "prosody",
"version": {
"version_data": [
{
"version_value": "0.10.2"
},
{
"version_value": "0.9.14"
}
]
}
}
]
},
"vendor_name": "[UNKNOWN]"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Prosody did not verify that the virtual host associated with a user session remained the same across stream restarts. A user may authenticate to XMPP host A and migrate their authenticated session to XMPP host B of the same Prosody instance."
}
]
},
"impact": {
"cvss": [
[
{
"vectorString": "4.2/CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
]
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-592"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://issues.prosody.im/1147",
"refsource": "CONFIRM",
"url": "https://issues.prosody.im/1147"
},
{
"name": "https://blog.prosody.im/prosody-0-10-2-security-release/",
"refsource": "CONFIRM",
"url": "https://blog.prosody.im/prosody-0-10-2-security-release/"
},
{
"name": "DSA-4216",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4216"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10847",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10847"
},
{
"name": "https://prosody.im/security/advisory_20180531/",
"refsource": "CONFIRM",
"url": "https://prosody.im/security/advisory_20180531/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2018-10847",
"datePublished": "2018-07-30T16:00:00",
"dateReserved": "2018-05-09T00:00:00",
"dateUpdated": "2024-08-05T07:46:47.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-18265 (GCVE-0-2017-18265)
Vulnerability from nvd – Published: 2018-05-09 17:00 – Updated: 2024-08-05 21:13
VLAI?
Summary
Prosody before 0.10.0 allows remote attackers to cause a denial of service (application crash), related to an incompatibility with certain versions of the LuaSocket library, such as the lua-socket package from Debian stretch. The attacker needs to trigger a stream error. A crash can be observed in, for example, the c2s module.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:13:49.298Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-4198",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4198"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hg.prosody.im/0.9/rev/176b7f4e4ac9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hg.prosody.im/0.9/rev/adfffc5b4e2a"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://prosody.im/issues/issue/987"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.debian.org/875829"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-05-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Prosody before 0.10.0 allows remote attackers to cause a denial of service (application crash), related to an incompatibility with certain versions of the LuaSocket library, such as the lua-socket package from Debian stretch. The attacker needs to trigger a stream error. A crash can be observed in, for example, the c2s module."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-11T09:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "DSA-4198",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4198"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hg.prosody.im/0.9/rev/176b7f4e4ac9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hg.prosody.im/0.9/rev/adfffc5b4e2a"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://prosody.im/issues/issue/987"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.debian.org/875829"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18265",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Prosody before 0.10.0 allows remote attackers to cause a denial of service (application crash), related to an incompatibility with certain versions of the LuaSocket library, such as the lua-socket package from Debian stretch. The attacker needs to trigger a stream error. A crash can be observed in, for example, the c2s module."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-4198",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4198"
},
{
"name": "https://hg.prosody.im/0.9/rev/176b7f4e4ac9",
"refsource": "MISC",
"url": "https://hg.prosody.im/0.9/rev/176b7f4e4ac9"
},
{
"name": "https://hg.prosody.im/0.9/rev/adfffc5b4e2a",
"refsource": "MISC",
"url": "https://hg.prosody.im/0.9/rev/adfffc5b4e2a"
},
{
"name": "https://prosody.im/issues/issue/987",
"refsource": "MISC",
"url": "https://prosody.im/issues/issue/987"
},
{
"name": "https://bugs.debian.org/875829",
"refsource": "MISC",
"url": "https://bugs.debian.org/875829"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18265",
"datePublished": "2018-05-09T17:00:00",
"dateReserved": "2018-05-09T00:00:00",
"dateUpdated": "2024-08-05T21:13:49.298Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-0756 (GCVE-0-2016-0756)
Vulnerability from nvd – Published: 2016-01-29 20:00 – Updated: 2024-08-05 22:30
VLAI?
Summary
The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generating dialback keys, which allows remote attackers to spoof XMPP network domains via a crafted stream id and domain name that is included in the target domain as a suffix.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:30:04.031Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "FEDORA-2016-e2c5111eda",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176796.html"
},
{
"name": "82241",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/82241"
},
{
"name": "FEDORA-2016-5a5c85c5a8",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176914.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://prosody.im/issues/issue/596"
},
{
"name": "[oss-security] 20160127 CVE-2016-0756: Prosody XMPP server: insecure dialback key generation/validation algorithm",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/27/10"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.prosody.im/prosody-0-9-10-released/"
},
{
"name": "DSA-3463",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3463"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://prosody.im/security/advisory_20160127/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generating dialback keys, which allows remote attackers to spoof XMPP network domains via a crafted stream id and domain name that is included in the target domain as a suffix."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-12-02T20:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "FEDORA-2016-e2c5111eda",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176796.html"
},
{
"name": "82241",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/82241"
},
{
"name": "FEDORA-2016-5a5c85c5a8",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176914.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://prosody.im/issues/issue/596"
},
{
"name": "[oss-security] 20160127 CVE-2016-0756: Prosody XMPP server: insecure dialback key generation/validation algorithm",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/27/10"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.prosody.im/prosody-0-9-10-released/"
},
{
"name": "DSA-3463",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2016/dsa-3463"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://prosody.im/security/advisory_20160127/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2016-0756",
"datePublished": "2016-01-29T20:00:00",
"dateReserved": "2015-12-16T00:00:00",
"dateUpdated": "2024-08-05T22:30:04.031Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-1232 (GCVE-0-2016-1232)
Vulnerability from nvd – Published: 2016-01-12 20:00 – Updated: 2024-08-05 22:48
VLAI?
Summary
The mod_dialback module in Prosody before 0.9.9 does not properly generate random values for the secret token for server-to-server dialback authentication, which makes it easier for attackers to spoof servers via a brute force attack.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:48:13.666Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://prosody.im/issues/issue/571"
},
{
"name": "FEDORA-2016-e289f41b76",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html"
},
{
"name": "FEDORA-2016-38e48069f8",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html"
},
{
"name": "DSA-3439",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3439"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.prosody.im/prosody-0-9-9-security-release/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://prosody.im/security/advisory_20160108-2/"
},
{
"name": "[oss-security] 20160108 CVE-2016-1231, CVE-2016-1232: Prosody XMPP server multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/08/5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The mod_dialback module in Prosody before 0.9.9 does not properly generate random values for the secret token for server-to-server dialback authentication, which makes it easier for attackers to spoof servers via a brute force attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-06-01T20:57:01",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://prosody.im/issues/issue/571"
},
{
"name": "FEDORA-2016-e289f41b76",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html"
},
{
"name": "FEDORA-2016-38e48069f8",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html"
},
{
"name": "DSA-3439",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2016/dsa-3439"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.prosody.im/prosody-0-9-9-security-release/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://prosody.im/security/advisory_20160108-2/"
},
{
"name": "[oss-security] 20160108 CVE-2016-1231, CVE-2016-1232: Prosody XMPP server multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/08/5"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2016-1232",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The mod_dialback module in Prosody before 0.9.9 does not properly generate random values for the secret token for server-to-server dialback authentication, which makes it easier for attackers to spoof servers via a brute force attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://prosody.im/issues/issue/571",
"refsource": "CONFIRM",
"url": "https://prosody.im/issues/issue/571"
},
{
"name": "FEDORA-2016-e289f41b76",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html"
},
{
"name": "FEDORA-2016-38e48069f8",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html"
},
{
"name": "DSA-3439",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2016/dsa-3439"
},
{
"name": "http://blog.prosody.im/prosody-0-9-9-security-release/",
"refsource": "CONFIRM",
"url": "http://blog.prosody.im/prosody-0-9-9-security-release/"
},
{
"name": "https://prosody.im/security/advisory_20160108-2/",
"refsource": "CONFIRM",
"url": "https://prosody.im/security/advisory_20160108-2/"
},
{
"name": "[oss-security] 20160108 CVE-2016-1231, CVE-2016-1232: Prosody XMPP server multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/01/08/5"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2016-1232",
"datePublished": "2016-01-12T20:00:00",
"dateReserved": "2015-12-27T00:00:00",
"dateUpdated": "2024-08-05T22:48:13.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-1231 (GCVE-0-2016-1231)
Vulnerability from nvd – Published: 2016-01-12 20:00 – Updated: 2024-08-05 22:48
VLAI?
Summary
Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) in an unspecified path.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:48:13.660Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "FEDORA-2016-e289f41b76",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://prosody.im/issues/issue/520"
},
{
"name": "FEDORA-2016-38e48069f8",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html"
},
{
"name": "DSA-3439",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3439"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.prosody.im/prosody-0-9-9-security-release/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://prosody.im/security/advisory_20160108-1/"
},
{
"name": "[oss-security] 20160108 CVE-2016-1231, CVE-2016-1232: Prosody XMPP server multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/08/5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) in an unspecified path."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-06-01T20:57:01",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"name": "FEDORA-2016-e289f41b76",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://prosody.im/issues/issue/520"
},
{
"name": "FEDORA-2016-38e48069f8",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html"
},
{
"name": "DSA-3439",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2016/dsa-3439"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.prosody.im/prosody-0-9-9-security-release/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://prosody.im/security/advisory_20160108-1/"
},
{
"name": "[oss-security] 20160108 CVE-2016-1231, CVE-2016-1232: Prosody XMPP server multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/08/5"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2016-1231",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) in an unspecified path."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "FEDORA-2016-e289f41b76",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html"
},
{
"name": "https://prosody.im/issues/issue/520",
"refsource": "CONFIRM",
"url": "https://prosody.im/issues/issue/520"
},
{
"name": "FEDORA-2016-38e48069f8",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html"
},
{
"name": "DSA-3439",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2016/dsa-3439"
},
{
"name": "http://blog.prosody.im/prosody-0-9-9-security-release/",
"refsource": "CONFIRM",
"url": "http://blog.prosody.im/prosody-0-9-9-security-release/"
},
{
"name": "https://prosody.im/security/advisory_20160108-1/",
"refsource": "CONFIRM",
"url": "https://prosody.im/security/advisory_20160108-1/"
},
{
"name": "[oss-security] 20160108 CVE-2016-1231, CVE-2016-1232: Prosody XMPP server multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/01/08/5"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2016-1231",
"datePublished": "2016-01-12T20:00:00",
"dateReserved": "2015-12-27T00:00:00",
"dateUpdated": "2024-08-05T22:48:13.660Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-2745 (GCVE-0-2014-2745)
Vulnerability from nvd – Published: 2014-04-11 01:00 – Updated: 2024-08-06 10:21
VLAI?
Summary
Prosody before 0.9.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack, related to core/portmanager.lua and util/xmppstream.lua.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:21:36.078Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://hg.prosody.im/0.9/rev/a97591d2e1ad"
},
{
"name": "DSA-2895",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2014/dsa-2895"
},
{
"name": "57710",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/57710"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://hg.prosody.im/0.9/rev/1107d66d2ab2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.prosody.im/prosody-0-9-4-released/"
},
{
"name": "[oss-security] 20140408 Re: (Openfire M-Link Metronome Prosody Tigase) Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2014/04/09/1"
},
{
"name": "[oss-security] 20140407 Re: Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2014/04/07/7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-04-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Prosody before 0.9.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an \"xmppbomb\" attack, related to core/portmanager.lua and util/xmppstream.lua."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-04-15T12:57:01",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://hg.prosody.im/0.9/rev/a97591d2e1ad"
},
{
"name": "DSA-2895",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2014/dsa-2895"
},
{
"name": "57710",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/57710"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://hg.prosody.im/0.9/rev/1107d66d2ab2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.prosody.im/prosody-0-9-4-released/"
},
{
"name": "[oss-security] 20140408 Re: (Openfire M-Link Metronome Prosody Tigase) Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2014/04/09/1"
},
{
"name": "[oss-security] 20140407 Re: Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2014/04/07/7"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2014-2745",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Prosody before 0.9.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an \"xmppbomb\" attack, related to core/portmanager.lua and util/xmppstream.lua."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/",
"refsource": "MISC",
"url": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"
},
{
"name": "http://hg.prosody.im/0.9/rev/a97591d2e1ad",
"refsource": "CONFIRM",
"url": "http://hg.prosody.im/0.9/rev/a97591d2e1ad"
},
{
"name": "DSA-2895",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-2895"
},
{
"name": "57710",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/57710"
},
{
"name": "http://hg.prosody.im/0.9/rev/1107d66d2ab2",
"refsource": "CONFIRM",
"url": "http://hg.prosody.im/0.9/rev/1107d66d2ab2"
},
{
"name": "http://blog.prosody.im/prosody-0-9-4-released/",
"refsource": "CONFIRM",
"url": "http://blog.prosody.im/prosody-0-9-4-released/"
},
{
"name": "[oss-security] 20140408 Re: (Openfire M-Link Metronome Prosody Tigase) Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2014/04/09/1"
},
{
"name": "[oss-security] 20140407 Re: Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2014/04/07/7"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2014-2745",
"datePublished": "2014-04-11T01:00:00",
"dateReserved": "2014-04-08T00:00:00",
"dateUpdated": "2024-08-06T10:21:36.078Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-2744 (GCVE-0-2014-2744)
Vulnerability from nvd – Published: 2014-04-11 01:00 – Updated: 2024-08-06 10:21
VLAI?
Summary
plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an "xmppbomb" attack.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:21:36.075Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"
},
{
"name": "DSA-2895",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2014/dsa-2895"
},
{
"name": "57710",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/57710"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://code.lightwitch.org/metronome/rev/49f47277a411"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.prosody.im/prosody-0-9-4-released/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://hg.prosody.im/0.9/rev/b3b1c9da38fb"
},
{
"name": "[oss-security] 20140408 Re: (Openfire M-Link Metronome Prosody Tigase) Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2014/04/09/1"
},
{
"name": "[oss-security] 20140407 Re: Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2014/04/07/7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-04-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an \"xmppbomb\" attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-04-15T12:57:01",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"
},
{
"name": "DSA-2895",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2014/dsa-2895"
},
{
"name": "57710",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/57710"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://code.lightwitch.org/metronome/rev/49f47277a411"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.prosody.im/prosody-0-9-4-released/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://hg.prosody.im/0.9/rev/b3b1c9da38fb"
},
{
"name": "[oss-security] 20140408 Re: (Openfire M-Link Metronome Prosody Tigase) Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2014/04/09/1"
},
{
"name": "[oss-security] 20140407 Re: Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2014/04/07/7"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2014-2744",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an \"xmppbomb\" attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/",
"refsource": "MISC",
"url": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"
},
{
"name": "DSA-2895",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-2895"
},
{
"name": "57710",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/57710"
},
{
"name": "http://code.lightwitch.org/metronome/rev/49f47277a411",
"refsource": "CONFIRM",
"url": "http://code.lightwitch.org/metronome/rev/49f47277a411"
},
{
"name": "http://blog.prosody.im/prosody-0-9-4-released/",
"refsource": "CONFIRM",
"url": "http://blog.prosody.im/prosody-0-9-4-released/"
},
{
"name": "http://hg.prosody.im/0.9/rev/b3b1c9da38fb",
"refsource": "CONFIRM",
"url": "http://hg.prosody.im/0.9/rev/b3b1c9da38fb"
},
{
"name": "[oss-security] 20140408 Re: (Openfire M-Link Metronome Prosody Tigase) Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2014/04/09/1"
},
{
"name": "[oss-security] 20140407 Re: Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2014/04/07/7"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2014-2744",
"datePublished": "2014-04-11T01:00:00",
"dateReserved": "2014-04-08T00:00:00",
"dateUpdated": "2024-08-06T10:21:36.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0217 (GCVE-0-2022-0217)
Vulnerability from cvelistv5 – Published: 2022-08-26 17:25 – Updated: 2024-08-02 23:18
VLAI?
Summary
It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).
Severity ?
No CVSS data available.
CWE
- CWE-776 - - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion'), CWE-20 - Improper Input Validation.
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:42.807Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040639"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://prosody.im/security/advisory_20220113/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://prosody.im/security/advisory_20220113/1.patch"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "prosody",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in prosody 0.11.12, Affects all versions with support for WebSockets."
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611)."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-776",
"description": "CWE-776 - Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027), CWE-20 - Improper Input Validation.",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-26T17:25:47",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040639"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://prosody.im/security/advisory_20220113/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://prosody.im/security/advisory_20220113/1.patch"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2022-0217",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "prosody",
"version": {
"version_data": [
{
"version_value": "Fixed in prosody 0.11.12, Affects all versions with support for WebSockets."
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-776 - Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027), CWE-20 - Improper Input Validation."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=2040639",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040639"
},
{
"name": "https://prosody.im/security/advisory_20220113/",
"refsource": "MISC",
"url": "https://prosody.im/security/advisory_20220113/"
},
{
"name": "https://prosody.im/security/advisory_20220113/1.patch",
"refsource": "MISC",
"url": "https://prosody.im/security/advisory_20220113/1.patch"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2022-0217",
"datePublished": "2022-08-26T17:25:47",
"dateReserved": "2022-01-13T00:00:00",
"dateUpdated": "2024-08-02T23:18:42.807Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-37601 (GCVE-0-2021-37601)
Vulnerability from cvelistv5 – Published: 2021-07-28 13:52 – Updated: 2024-08-04 01:23
VLAI?
Summary
muc.lib.lua in Prosody 0.11.0 through 0.11.9 allows remote attackers to obtain sensitive information (list of admins, members, owners, and banned entities of a Multi-User chat room) in some common configurations.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:23:01.400Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://prosody.im/security/advisory_20210722/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://prosody.im/"
},
{
"name": "[oss-security] 20210728 Re: Prosody XMPP server advisory 2021-07-22 (Remote Information Disclosure) (CVE-2021-37601)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/07/28/4"
},
{
"name": "FEDORA-2021-1d574ae400",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EMKIOEP2CYWHVVUCNWISPE4AGH4IR7O2/"
},
{
"name": "FEDORA-2021-fe9513e089",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7BZRRPCNOETB4MN4XSYPRBBKDIHO27DY/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "muc.lib.lua in Prosody 0.11.0 through 0.11.9 allows remote attackers to obtain sensitive information (list of admins, members, owners, and banned entities of a Multi-User chat room) in some common configurations."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:U/UI:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-12T02:06:11",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://prosody.im/security/advisory_20210722/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://prosody.im/"
},
{
"name": "[oss-security] 20210728 Re: Prosody XMPP server advisory 2021-07-22 (Remote Information Disclosure) (CVE-2021-37601)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/07/28/4"
},
{
"name": "FEDORA-2021-1d574ae400",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EMKIOEP2CYWHVVUCNWISPE4AGH4IR7O2/"
},
{
"name": "FEDORA-2021-fe9513e089",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7BZRRPCNOETB4MN4XSYPRBBKDIHO27DY/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-37601",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "muc.lib.lua in Prosody 0.11.0 through 0.11.9 allows remote attackers to obtain sensitive information (list of admins, members, owners, and banned entities of a Multi-User chat room) in some common configurations."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:U/UI:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://prosody.im/security/advisory_20210722/",
"refsource": "MISC",
"url": "https://prosody.im/security/advisory_20210722/"
},
{
"name": "https://prosody.im/",
"refsource": "MISC",
"url": "https://prosody.im/"
},
{
"name": "[oss-security] 20210728 Re: Prosody XMPP server advisory 2021-07-22 (Remote Information Disclosure) (CVE-2021-37601)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/07/28/4"
},
{
"name": "FEDORA-2021-1d574ae400",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EMKIOEP2CYWHVVUCNWISPE4AGH4IR7O2/"
},
{
"name": "FEDORA-2021-fe9513e089",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7BZRRPCNOETB4MN4XSYPRBBKDIHO27DY/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-37601",
"datePublished": "2021-07-28T13:52:17",
"dateReserved": "2021-07-28T00:00:00",
"dateUpdated": "2024-08-04T01:23:01.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32921 (GCVE-0-2021-32921)
Vulnerability from cvelistv5 – Published: 2021-05-13 15:14 – Updated: 2024-08-03 23:33
VLAI?
Summary
An issue was discovered in Prosody before 0.11.9. It does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:56.162Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202105-15"
},
{
"name": "[debian-lts-announce] 20210616 [SECURITY] [DLA 2687-1] prosody security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html"
},
{
"name": "[debian-lts-announce] 20210619 [SECURITY] [DLA 2687-2] prosody regression update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00018.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Prosody before 0.11.9. It does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-19T08:06:18",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.gentoo.org/glsa/202105-15"
},
{
"name": "[debian-lts-announce] 20210616 [SECURITY] [DLA 2687-1] prosody security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html"
},
{
"name": "[debian-lts-announce] 20210619 [SECURITY] [DLA 2687-2] prosody regression update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00018.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-32921",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Prosody before 0.11.9. It does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.prosody.im/prosody-0.11.9-released/",
"refsource": "MISC",
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"name": "https://security.gentoo.org/glsa/202105-15",
"refsource": "MISC",
"url": "https://security.gentoo.org/glsa/202105-15"
},
{
"name": "[debian-lts-announce] 20210616 [SECURITY] [DLA 2687-1] prosody security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html"
},
{
"name": "[debian-lts-announce] 20210619 [SECURITY] [DLA 2687-2] prosody regression update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00018.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-32921",
"datePublished": "2021-05-13T15:14:43",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:33:56.162Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32920 (GCVE-0-2021-32920)
Vulnerability from cvelistv5 – Published: 2021-05-13 15:14 – Updated: 2024-08-03 23:33
VLAI?
Summary
Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:55.924Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202105-15"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-26T10:06:14",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.gentoo.org/glsa/202105-15"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-32920",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.prosody.im/prosody-0.11.9-released/",
"refsource": "MISC",
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"name": "https://security.gentoo.org/glsa/202105-15",
"refsource": "MISC",
"url": "https://security.gentoo.org/glsa/202105-15"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-32920",
"datePublished": "2021-05-13T15:14:14",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:33:55.924Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32919 (GCVE-0-2021-32919)
Vulnerability from cvelistv5 – Published: 2021-05-13 15:12 – Updated: 2024-08-03 23:33
VLAI?
Summary
An issue was discovered in Prosody before 0.11.9. The undocumented dialback_without_dialback option in mod_dialback enables an experimental feature for server-to-server authentication. It does not correctly authenticate remote server certificates, allowing a remote server to impersonate another server (when this option is enabled).
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:55.965Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202105-15"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Prosody before 0.11.9. The undocumented dialback_without_dialback option in mod_dialback enables an experimental feature for server-to-server authentication. It does not correctly authenticate remote server certificates, allowing a remote server to impersonate another server (when this option is enabled)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-26T10:06:14",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.gentoo.org/glsa/202105-15"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-32919",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Prosody before 0.11.9. The undocumented dialback_without_dialback option in mod_dialback enables an experimental feature for server-to-server authentication. It does not correctly authenticate remote server certificates, allowing a remote server to impersonate another server (when this option is enabled)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.prosody.im/prosody-0.11.9-released/",
"refsource": "MISC",
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"name": "https://security.gentoo.org/glsa/202105-15",
"refsource": "MISC",
"url": "https://security.gentoo.org/glsa/202105-15"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-32919",
"datePublished": "2021-05-13T15:12:19",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:33:55.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32918 (GCVE-0-2021-32918)
Vulnerability from cvelistv5 – Published: 2021-05-13 15:11 – Updated: 2024-08-03 23:33
VLAI?
Summary
An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:55.925Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202105-15"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-26T10:06:13",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.gentoo.org/glsa/202105-15"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-32918",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.prosody.im/prosody-0.11.9-released/",
"refsource": "MISC",
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"name": "https://security.gentoo.org/glsa/202105-15",
"refsource": "MISC",
"url": "https://security.gentoo.org/glsa/202105-15"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-32918",
"datePublished": "2021-05-13T15:11:50",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:33:55.925Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32917 (GCVE-0-2021-32917)
Vulnerability from cvelistv5 – Published: 2021-05-13 15:10 – Updated: 2024-08-03 23:33
VLAI?
Summary
An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:55.863Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202105-15"
},
{
"name": "[debian-lts-announce] 20210616 [SECURITY] [DLA 2687-1] prosody security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server\u0027s bandwidth."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-16T06:06:34",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.gentoo.org/glsa/202105-15"
},
{
"name": "[debian-lts-announce] 20210616 [SECURITY] [DLA 2687-1] prosody security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-32917",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server\u0027s bandwidth."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.prosody.im/prosody-0.11.9-released/",
"refsource": "MISC",
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"name": "https://security.gentoo.org/glsa/202105-15",
"refsource": "MISC",
"url": "https://security.gentoo.org/glsa/202105-15"
},
{
"name": "[debian-lts-announce] 20210616 [SECURITY] [DLA 2687-1] prosody security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-32917",
"datePublished": "2021-05-13T15:10:56",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:33:55.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-10847 (GCVE-0-2018-10847)
Vulnerability from cvelistv5 – Published: 2018-07-30 16:00 – Updated: 2024-08-05 07:46
VLAI?
Summary
prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Prosody did not verify that the virtual host associated with a user session remained the same across stream restarts. A user may authenticate to XMPP host A and migrate their authenticated session to XMPP host B of the same Prosody instance.
Severity ?
4.2 (Medium)
CWE
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:46:47.419Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.prosody.im/1147"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.prosody.im/prosody-0-10-2-security-release/"
},
{
"name": "DSA-4216",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4216"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10847"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://prosody.im/security/advisory_20180531/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "prosody",
"vendor": "[UNKNOWN]",
"versions": [
{
"status": "affected",
"version": "0.10.2"
},
{
"status": "affected",
"version": "0.9.14"
}
]
}
],
"datePublic": "2018-05-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Prosody did not verify that the virtual host associated with a user session remained the same across stream restarts. A user may authenticate to XMPP host A and migrate their authenticated session to XMPP host B of the same Prosody instance."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-592",
"description": "CWE-592",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-31T09:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.prosody.im/1147"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.prosody.im/prosody-0-10-2-security-release/"
},
{
"name": "DSA-4216",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4216"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10847"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://prosody.im/security/advisory_20180531/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2018-10847",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "prosody",
"version": {
"version_data": [
{
"version_value": "0.10.2"
},
{
"version_value": "0.9.14"
}
]
}
}
]
},
"vendor_name": "[UNKNOWN]"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Prosody did not verify that the virtual host associated with a user session remained the same across stream restarts. A user may authenticate to XMPP host A and migrate their authenticated session to XMPP host B of the same Prosody instance."
}
]
},
"impact": {
"cvss": [
[
{
"vectorString": "4.2/CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
]
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-592"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://issues.prosody.im/1147",
"refsource": "CONFIRM",
"url": "https://issues.prosody.im/1147"
},
{
"name": "https://blog.prosody.im/prosody-0-10-2-security-release/",
"refsource": "CONFIRM",
"url": "https://blog.prosody.im/prosody-0-10-2-security-release/"
},
{
"name": "DSA-4216",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4216"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10847",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10847"
},
{
"name": "https://prosody.im/security/advisory_20180531/",
"refsource": "CONFIRM",
"url": "https://prosody.im/security/advisory_20180531/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2018-10847",
"datePublished": "2018-07-30T16:00:00",
"dateReserved": "2018-05-09T00:00:00",
"dateUpdated": "2024-08-05T07:46:47.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-18265 (GCVE-0-2017-18265)
Vulnerability from cvelistv5 – Published: 2018-05-09 17:00 – Updated: 2024-08-05 21:13
VLAI?
Summary
Prosody before 0.10.0 allows remote attackers to cause a denial of service (application crash), related to an incompatibility with certain versions of the LuaSocket library, such as the lua-socket package from Debian stretch. The attacker needs to trigger a stream error. A crash can be observed in, for example, the c2s module.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:13:49.298Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-4198",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4198"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hg.prosody.im/0.9/rev/176b7f4e4ac9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hg.prosody.im/0.9/rev/adfffc5b4e2a"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://prosody.im/issues/issue/987"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.debian.org/875829"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-05-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Prosody before 0.10.0 allows remote attackers to cause a denial of service (application crash), related to an incompatibility with certain versions of the LuaSocket library, such as the lua-socket package from Debian stretch. The attacker needs to trigger a stream error. A crash can be observed in, for example, the c2s module."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-11T09:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "DSA-4198",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4198"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hg.prosody.im/0.9/rev/176b7f4e4ac9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hg.prosody.im/0.9/rev/adfffc5b4e2a"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://prosody.im/issues/issue/987"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.debian.org/875829"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18265",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Prosody before 0.10.0 allows remote attackers to cause a denial of service (application crash), related to an incompatibility with certain versions of the LuaSocket library, such as the lua-socket package from Debian stretch. The attacker needs to trigger a stream error. A crash can be observed in, for example, the c2s module."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-4198",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4198"
},
{
"name": "https://hg.prosody.im/0.9/rev/176b7f4e4ac9",
"refsource": "MISC",
"url": "https://hg.prosody.im/0.9/rev/176b7f4e4ac9"
},
{
"name": "https://hg.prosody.im/0.9/rev/adfffc5b4e2a",
"refsource": "MISC",
"url": "https://hg.prosody.im/0.9/rev/adfffc5b4e2a"
},
{
"name": "https://prosody.im/issues/issue/987",
"refsource": "MISC",
"url": "https://prosody.im/issues/issue/987"
},
{
"name": "https://bugs.debian.org/875829",
"refsource": "MISC",
"url": "https://bugs.debian.org/875829"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18265",
"datePublished": "2018-05-09T17:00:00",
"dateReserved": "2018-05-09T00:00:00",
"dateUpdated": "2024-08-05T21:13:49.298Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-0756 (GCVE-0-2016-0756)
Vulnerability from cvelistv5 – Published: 2016-01-29 20:00 – Updated: 2024-08-05 22:30
VLAI?
Summary
The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generating dialback keys, which allows remote attackers to spoof XMPP network domains via a crafted stream id and domain name that is included in the target domain as a suffix.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:30:04.031Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "FEDORA-2016-e2c5111eda",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176796.html"
},
{
"name": "82241",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/82241"
},
{
"name": "FEDORA-2016-5a5c85c5a8",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176914.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://prosody.im/issues/issue/596"
},
{
"name": "[oss-security] 20160127 CVE-2016-0756: Prosody XMPP server: insecure dialback key generation/validation algorithm",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/27/10"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.prosody.im/prosody-0-9-10-released/"
},
{
"name": "DSA-3463",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3463"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://prosody.im/security/advisory_20160127/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generating dialback keys, which allows remote attackers to spoof XMPP network domains via a crafted stream id and domain name that is included in the target domain as a suffix."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-12-02T20:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "FEDORA-2016-e2c5111eda",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176796.html"
},
{
"name": "82241",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/82241"
},
{
"name": "FEDORA-2016-5a5c85c5a8",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176914.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://prosody.im/issues/issue/596"
},
{
"name": "[oss-security] 20160127 CVE-2016-0756: Prosody XMPP server: insecure dialback key generation/validation algorithm",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/27/10"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.prosody.im/prosody-0-9-10-released/"
},
{
"name": "DSA-3463",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2016/dsa-3463"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://prosody.im/security/advisory_20160127/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2016-0756",
"datePublished": "2016-01-29T20:00:00",
"dateReserved": "2015-12-16T00:00:00",
"dateUpdated": "2024-08-05T22:30:04.031Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-1231 (GCVE-0-2016-1231)
Vulnerability from cvelistv5 – Published: 2016-01-12 20:00 – Updated: 2024-08-05 22:48
VLAI?
Summary
Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) in an unspecified path.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:48:13.660Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "FEDORA-2016-e289f41b76",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://prosody.im/issues/issue/520"
},
{
"name": "FEDORA-2016-38e48069f8",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html"
},
{
"name": "DSA-3439",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3439"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.prosody.im/prosody-0-9-9-security-release/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://prosody.im/security/advisory_20160108-1/"
},
{
"name": "[oss-security] 20160108 CVE-2016-1231, CVE-2016-1232: Prosody XMPP server multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/08/5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) in an unspecified path."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-06-01T20:57:01",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"name": "FEDORA-2016-e289f41b76",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://prosody.im/issues/issue/520"
},
{
"name": "FEDORA-2016-38e48069f8",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html"
},
{
"name": "DSA-3439",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2016/dsa-3439"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.prosody.im/prosody-0-9-9-security-release/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://prosody.im/security/advisory_20160108-1/"
},
{
"name": "[oss-security] 20160108 CVE-2016-1231, CVE-2016-1232: Prosody XMPP server multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/08/5"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2016-1231",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) in an unspecified path."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "FEDORA-2016-e289f41b76",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html"
},
{
"name": "https://prosody.im/issues/issue/520",
"refsource": "CONFIRM",
"url": "https://prosody.im/issues/issue/520"
},
{
"name": "FEDORA-2016-38e48069f8",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html"
},
{
"name": "DSA-3439",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2016/dsa-3439"
},
{
"name": "http://blog.prosody.im/prosody-0-9-9-security-release/",
"refsource": "CONFIRM",
"url": "http://blog.prosody.im/prosody-0-9-9-security-release/"
},
{
"name": "https://prosody.im/security/advisory_20160108-1/",
"refsource": "CONFIRM",
"url": "https://prosody.im/security/advisory_20160108-1/"
},
{
"name": "[oss-security] 20160108 CVE-2016-1231, CVE-2016-1232: Prosody XMPP server multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/01/08/5"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2016-1231",
"datePublished": "2016-01-12T20:00:00",
"dateReserved": "2015-12-27T00:00:00",
"dateUpdated": "2024-08-05T22:48:13.660Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-1232 (GCVE-0-2016-1232)
Vulnerability from cvelistv5 – Published: 2016-01-12 20:00 – Updated: 2024-08-05 22:48
VLAI?
Summary
The mod_dialback module in Prosody before 0.9.9 does not properly generate random values for the secret token for server-to-server dialback authentication, which makes it easier for attackers to spoof servers via a brute force attack.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:48:13.666Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://prosody.im/issues/issue/571"
},
{
"name": "FEDORA-2016-e289f41b76",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html"
},
{
"name": "FEDORA-2016-38e48069f8",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html"
},
{
"name": "DSA-3439",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3439"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.prosody.im/prosody-0-9-9-security-release/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://prosody.im/security/advisory_20160108-2/"
},
{
"name": "[oss-security] 20160108 CVE-2016-1231, CVE-2016-1232: Prosody XMPP server multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/08/5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The mod_dialback module in Prosody before 0.9.9 does not properly generate random values for the secret token for server-to-server dialback authentication, which makes it easier for attackers to spoof servers via a brute force attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-06-01T20:57:01",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://prosody.im/issues/issue/571"
},
{
"name": "FEDORA-2016-e289f41b76",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html"
},
{
"name": "FEDORA-2016-38e48069f8",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html"
},
{
"name": "DSA-3439",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2016/dsa-3439"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.prosody.im/prosody-0-9-9-security-release/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://prosody.im/security/advisory_20160108-2/"
},
{
"name": "[oss-security] 20160108 CVE-2016-1231, CVE-2016-1232: Prosody XMPP server multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/08/5"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2016-1232",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The mod_dialback module in Prosody before 0.9.9 does not properly generate random values for the secret token for server-to-server dialback authentication, which makes it easier for attackers to spoof servers via a brute force attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://prosody.im/issues/issue/571",
"refsource": "CONFIRM",
"url": "https://prosody.im/issues/issue/571"
},
{
"name": "FEDORA-2016-e289f41b76",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html"
},
{
"name": "FEDORA-2016-38e48069f8",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html"
},
{
"name": "DSA-3439",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2016/dsa-3439"
},
{
"name": "http://blog.prosody.im/prosody-0-9-9-security-release/",
"refsource": "CONFIRM",
"url": "http://blog.prosody.im/prosody-0-9-9-security-release/"
},
{
"name": "https://prosody.im/security/advisory_20160108-2/",
"refsource": "CONFIRM",
"url": "https://prosody.im/security/advisory_20160108-2/"
},
{
"name": "[oss-security] 20160108 CVE-2016-1231, CVE-2016-1232: Prosody XMPP server multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/01/08/5"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2016-1232",
"datePublished": "2016-01-12T20:00:00",
"dateReserved": "2015-12-27T00:00:00",
"dateUpdated": "2024-08-05T22:48:13.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-2745 (GCVE-0-2014-2745)
Vulnerability from cvelistv5 – Published: 2014-04-11 01:00 – Updated: 2024-08-06 10:21
VLAI?
Summary
Prosody before 0.9.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack, related to core/portmanager.lua and util/xmppstream.lua.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:21:36.078Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://hg.prosody.im/0.9/rev/a97591d2e1ad"
},
{
"name": "DSA-2895",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2014/dsa-2895"
},
{
"name": "57710",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/57710"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://hg.prosody.im/0.9/rev/1107d66d2ab2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.prosody.im/prosody-0-9-4-released/"
},
{
"name": "[oss-security] 20140408 Re: (Openfire M-Link Metronome Prosody Tigase) Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2014/04/09/1"
},
{
"name": "[oss-security] 20140407 Re: Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2014/04/07/7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-04-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Prosody before 0.9.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an \"xmppbomb\" attack, related to core/portmanager.lua and util/xmppstream.lua."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-04-15T12:57:01",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://hg.prosody.im/0.9/rev/a97591d2e1ad"
},
{
"name": "DSA-2895",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2014/dsa-2895"
},
{
"name": "57710",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/57710"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://hg.prosody.im/0.9/rev/1107d66d2ab2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.prosody.im/prosody-0-9-4-released/"
},
{
"name": "[oss-security] 20140408 Re: (Openfire M-Link Metronome Prosody Tigase) Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2014/04/09/1"
},
{
"name": "[oss-security] 20140407 Re: Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2014/04/07/7"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2014-2745",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Prosody before 0.9.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an \"xmppbomb\" attack, related to core/portmanager.lua and util/xmppstream.lua."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/",
"refsource": "MISC",
"url": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"
},
{
"name": "http://hg.prosody.im/0.9/rev/a97591d2e1ad",
"refsource": "CONFIRM",
"url": "http://hg.prosody.im/0.9/rev/a97591d2e1ad"
},
{
"name": "DSA-2895",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-2895"
},
{
"name": "57710",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/57710"
},
{
"name": "http://hg.prosody.im/0.9/rev/1107d66d2ab2",
"refsource": "CONFIRM",
"url": "http://hg.prosody.im/0.9/rev/1107d66d2ab2"
},
{
"name": "http://blog.prosody.im/prosody-0-9-4-released/",
"refsource": "CONFIRM",
"url": "http://blog.prosody.im/prosody-0-9-4-released/"
},
{
"name": "[oss-security] 20140408 Re: (Openfire M-Link Metronome Prosody Tigase) Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2014/04/09/1"
},
{
"name": "[oss-security] 20140407 Re: Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2014/04/07/7"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2014-2745",
"datePublished": "2014-04-11T01:00:00",
"dateReserved": "2014-04-08T00:00:00",
"dateUpdated": "2024-08-06T10:21:36.078Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-2744 (GCVE-0-2014-2744)
Vulnerability from cvelistv5 – Published: 2014-04-11 01:00 – Updated: 2024-08-06 10:21
VLAI?
Summary
plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an "xmppbomb" attack.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:21:36.075Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"
},
{
"name": "DSA-2895",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2014/dsa-2895"
},
{
"name": "57710",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/57710"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://code.lightwitch.org/metronome/rev/49f47277a411"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.prosody.im/prosody-0-9-4-released/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://hg.prosody.im/0.9/rev/b3b1c9da38fb"
},
{
"name": "[oss-security] 20140408 Re: (Openfire M-Link Metronome Prosody Tigase) Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2014/04/09/1"
},
{
"name": "[oss-security] 20140407 Re: Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2014/04/07/7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-04-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an \"xmppbomb\" attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-04-15T12:57:01",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"
},
{
"name": "DSA-2895",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2014/dsa-2895"
},
{
"name": "57710",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/57710"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://code.lightwitch.org/metronome/rev/49f47277a411"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.prosody.im/prosody-0-9-4-released/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://hg.prosody.im/0.9/rev/b3b1c9da38fb"
},
{
"name": "[oss-security] 20140408 Re: (Openfire M-Link Metronome Prosody Tigase) Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2014/04/09/1"
},
{
"name": "[oss-security] 20140407 Re: Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2014/04/07/7"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2014-2744",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an \"xmppbomb\" attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/",
"refsource": "MISC",
"url": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"
},
{
"name": "DSA-2895",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-2895"
},
{
"name": "57710",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/57710"
},
{
"name": "http://code.lightwitch.org/metronome/rev/49f47277a411",
"refsource": "CONFIRM",
"url": "http://code.lightwitch.org/metronome/rev/49f47277a411"
},
{
"name": "http://blog.prosody.im/prosody-0-9-4-released/",
"refsource": "CONFIRM",
"url": "http://blog.prosody.im/prosody-0-9-4-released/"
},
{
"name": "http://hg.prosody.im/0.9/rev/b3b1c9da38fb",
"refsource": "CONFIRM",
"url": "http://hg.prosody.im/0.9/rev/b3b1c9da38fb"
},
{
"name": "[oss-security] 20140408 Re: (Openfire M-Link Metronome Prosody Tigase) Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2014/04/09/1"
},
{
"name": "[oss-security] 20140407 Re: Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2014/04/07/7"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2014-2744",
"datePublished": "2014-04-11T01:00:00",
"dateReserved": "2014-04-08T00:00:00",
"dateUpdated": "2024-08-06T10:21:36.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}