Vulnerabilites related to prosody - prosody
CVE-2021-32917 (GCVE-0-2021-32917)
Vulnerability from cvelistv5
Published
2021-05-13 15:10
Modified
2024-08-03 23:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth.
References
| ► | URL | Tags | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:55.863Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202105-15"
},
{
"name": "[debian-lts-announce] 20210616 [SECURITY] [DLA 2687-1] prosody security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server\u0027s bandwidth."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-16T06:06:34",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.gentoo.org/glsa/202105-15"
},
{
"name": "[debian-lts-announce] 20210616 [SECURITY] [DLA 2687-1] prosody security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-32917",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server\u0027s bandwidth."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.prosody.im/prosody-0.11.9-released/",
"refsource": "MISC",
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"name": "https://security.gentoo.org/glsa/202105-15",
"refsource": "MISC",
"url": "https://security.gentoo.org/glsa/202105-15"
},
{
"name": "[debian-lts-announce] 20210616 [SECURITY] [DLA 2687-1] prosody security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-32917",
"datePublished": "2021-05-13T15:10:56",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:33:55.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32918 (GCVE-0-2021-32918)
Vulnerability from cvelistv5
Published
2021-05-13 15:11
Modified
2024-08-03 23:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3.
References
| ► | URL | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:55.925Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202105-15"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-26T10:06:13",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.gentoo.org/glsa/202105-15"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-32918",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.prosody.im/prosody-0.11.9-released/",
"refsource": "MISC",
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"name": "https://security.gentoo.org/glsa/202105-15",
"refsource": "MISC",
"url": "https://security.gentoo.org/glsa/202105-15"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-32918",
"datePublished": "2021-05-13T15:11:50",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:33:55.925Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-37601 (GCVE-0-2021-37601)
Vulnerability from cvelistv5
Published
2021-07-28 13:52
Modified
2024-08-04 01:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
muc.lib.lua in Prosody 0.11.0 through 0.11.9 allows remote attackers to obtain sensitive information (list of admins, members, owners, and banned entities of a Multi-User chat room) in some common configurations.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:23:01.400Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://prosody.im/security/advisory_20210722/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://prosody.im/"
},
{
"name": "[oss-security] 20210728 Re: Prosody XMPP server advisory 2021-07-22 (Remote Information Disclosure) (CVE-2021-37601)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/07/28/4"
},
{
"name": "FEDORA-2021-1d574ae400",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EMKIOEP2CYWHVVUCNWISPE4AGH4IR7O2/"
},
{
"name": "FEDORA-2021-fe9513e089",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7BZRRPCNOETB4MN4XSYPRBBKDIHO27DY/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "muc.lib.lua in Prosody 0.11.0 through 0.11.9 allows remote attackers to obtain sensitive information (list of admins, members, owners, and banned entities of a Multi-User chat room) in some common configurations."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:U/UI:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-12T02:06:11",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://prosody.im/security/advisory_20210722/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://prosody.im/"
},
{
"name": "[oss-security] 20210728 Re: Prosody XMPP server advisory 2021-07-22 (Remote Information Disclosure) (CVE-2021-37601)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/07/28/4"
},
{
"name": "FEDORA-2021-1d574ae400",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EMKIOEP2CYWHVVUCNWISPE4AGH4IR7O2/"
},
{
"name": "FEDORA-2021-fe9513e089",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7BZRRPCNOETB4MN4XSYPRBBKDIHO27DY/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-37601",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "muc.lib.lua in Prosody 0.11.0 through 0.11.9 allows remote attackers to obtain sensitive information (list of admins, members, owners, and banned entities of a Multi-User chat room) in some common configurations."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:U/UI:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://prosody.im/security/advisory_20210722/",
"refsource": "MISC",
"url": "https://prosody.im/security/advisory_20210722/"
},
{
"name": "https://prosody.im/",
"refsource": "MISC",
"url": "https://prosody.im/"
},
{
"name": "[oss-security] 20210728 Re: Prosody XMPP server advisory 2021-07-22 (Remote Information Disclosure) (CVE-2021-37601)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/07/28/4"
},
{
"name": "FEDORA-2021-1d574ae400",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EMKIOEP2CYWHVVUCNWISPE4AGH4IR7O2/"
},
{
"name": "FEDORA-2021-fe9513e089",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7BZRRPCNOETB4MN4XSYPRBBKDIHO27DY/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-37601",
"datePublished": "2021-07-28T13:52:17",
"dateReserved": "2021-07-28T00:00:00",
"dateUpdated": "2024-08-04T01:23:01.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-1231 (GCVE-0-2016-1231)
Vulnerability from cvelistv5
Published
2016-01-12 20:00
Modified
2024-08-05 22:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) in an unspecified path.
References
| ► | URL | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:48:13.660Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "FEDORA-2016-e289f41b76",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://prosody.im/issues/issue/520"
},
{
"name": "FEDORA-2016-38e48069f8",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html"
},
{
"name": "DSA-3439",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3439"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.prosody.im/prosody-0-9-9-security-release/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://prosody.im/security/advisory_20160108-1/"
},
{
"name": "[oss-security] 20160108 CVE-2016-1231, CVE-2016-1232: Prosody XMPP server multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/08/5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) in an unspecified path."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-06-01T20:57:01",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"name": "FEDORA-2016-e289f41b76",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://prosody.im/issues/issue/520"
},
{
"name": "FEDORA-2016-38e48069f8",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html"
},
{
"name": "DSA-3439",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2016/dsa-3439"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.prosody.im/prosody-0-9-9-security-release/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://prosody.im/security/advisory_20160108-1/"
},
{
"name": "[oss-security] 20160108 CVE-2016-1231, CVE-2016-1232: Prosody XMPP server multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/08/5"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2016-1231",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) in an unspecified path."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "FEDORA-2016-e289f41b76",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html"
},
{
"name": "https://prosody.im/issues/issue/520",
"refsource": "CONFIRM",
"url": "https://prosody.im/issues/issue/520"
},
{
"name": "FEDORA-2016-38e48069f8",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html"
},
{
"name": "DSA-3439",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2016/dsa-3439"
},
{
"name": "http://blog.prosody.im/prosody-0-9-9-security-release/",
"refsource": "CONFIRM",
"url": "http://blog.prosody.im/prosody-0-9-9-security-release/"
},
{
"name": "https://prosody.im/security/advisory_20160108-1/",
"refsource": "CONFIRM",
"url": "https://prosody.im/security/advisory_20160108-1/"
},
{
"name": "[oss-security] 20160108 CVE-2016-1231, CVE-2016-1232: Prosody XMPP server multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/01/08/5"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2016-1231",
"datePublished": "2016-01-12T20:00:00",
"dateReserved": "2015-12-27T00:00:00",
"dateUpdated": "2024-08-05T22:48:13.660Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-18265 (GCVE-0-2017-18265)
Vulnerability from cvelistv5
Published
2018-05-09 17:00
Modified
2024-08-05 21:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Prosody before 0.10.0 allows remote attackers to cause a denial of service (application crash), related to an incompatibility with certain versions of the LuaSocket library, such as the lua-socket package from Debian stretch. The attacker needs to trigger a stream error. A crash can be observed in, for example, the c2s module.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:13:49.298Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-4198",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4198"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hg.prosody.im/0.9/rev/176b7f4e4ac9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hg.prosody.im/0.9/rev/adfffc5b4e2a"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://prosody.im/issues/issue/987"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.debian.org/875829"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-05-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Prosody before 0.10.0 allows remote attackers to cause a denial of service (application crash), related to an incompatibility with certain versions of the LuaSocket library, such as the lua-socket package from Debian stretch. The attacker needs to trigger a stream error. A crash can be observed in, for example, the c2s module."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-11T09:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "DSA-4198",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4198"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hg.prosody.im/0.9/rev/176b7f4e4ac9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hg.prosody.im/0.9/rev/adfffc5b4e2a"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://prosody.im/issues/issue/987"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.debian.org/875829"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18265",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Prosody before 0.10.0 allows remote attackers to cause a denial of service (application crash), related to an incompatibility with certain versions of the LuaSocket library, such as the lua-socket package from Debian stretch. The attacker needs to trigger a stream error. A crash can be observed in, for example, the c2s module."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-4198",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4198"
},
{
"name": "https://hg.prosody.im/0.9/rev/176b7f4e4ac9",
"refsource": "MISC",
"url": "https://hg.prosody.im/0.9/rev/176b7f4e4ac9"
},
{
"name": "https://hg.prosody.im/0.9/rev/adfffc5b4e2a",
"refsource": "MISC",
"url": "https://hg.prosody.im/0.9/rev/adfffc5b4e2a"
},
{
"name": "https://prosody.im/issues/issue/987",
"refsource": "MISC",
"url": "https://prosody.im/issues/issue/987"
},
{
"name": "https://bugs.debian.org/875829",
"refsource": "MISC",
"url": "https://bugs.debian.org/875829"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18265",
"datePublished": "2018-05-09T17:00:00",
"dateReserved": "2018-05-09T00:00:00",
"dateUpdated": "2024-08-05T21:13:49.298Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-2532 (GCVE-0-2011-2532)
Vulnerability from cvelistv5
Published
2011-06-22 21:00
Modified
2024-09-16 22:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The json.decode function in util/json.lua in Prosody 0.8.x before 0.8.1 might allow remote attackers to cause a denial of service (infinite loop) via invalid JSON data, as demonstrated by truncated data.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T23:08:22.653Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.prosody.im/prosody-0-8-1-released/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://hg.prosody.im/0.8/rev/20979f124ad9"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://prosody.im/doc/release/0.8.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The json.decode function in util/json.lua in Prosody 0.8.x before 0.8.1 might allow remote attackers to cause a denial of service (infinite loop) via invalid JSON data, as demonstrated by truncated data."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2011-06-22T21:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.prosody.im/prosody-0-8-1-released/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://hg.prosody.im/0.8/rev/20979f124ad9"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://prosody.im/doc/release/0.8.1"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-2532",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The json.decode function in util/json.lua in Prosody 0.8.x before 0.8.1 might allow remote attackers to cause a denial of service (infinite loop) via invalid JSON data, as demonstrated by truncated data."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://blog.prosody.im/prosody-0-8-1-released/",
"refsource": "CONFIRM",
"url": "http://blog.prosody.im/prosody-0-8-1-released/"
},
{
"name": "http://hg.prosody.im/0.8/rev/20979f124ad9",
"refsource": "CONFIRM",
"url": "http://hg.prosody.im/0.8/rev/20979f124ad9"
},
{
"name": "http://prosody.im/doc/release/0.8.1",
"refsource": "CONFIRM",
"url": "http://prosody.im/doc/release/0.8.1"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2011-2532",
"datePublished": "2011-06-22T21:00:00Z",
"dateReserved": "2011-06-22T00:00:00Z",
"dateUpdated": "2024-09-16T22:50:50.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32919 (GCVE-0-2021-32919)
Vulnerability from cvelistv5
Published
2021-05-13 15:12
Modified
2024-08-03 23:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in Prosody before 0.11.9. The undocumented dialback_without_dialback option in mod_dialback enables an experimental feature for server-to-server authentication. It does not correctly authenticate remote server certificates, allowing a remote server to impersonate another server (when this option is enabled).
References
| ► | URL | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:55.965Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202105-15"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Prosody before 0.11.9. The undocumented dialback_without_dialback option in mod_dialback enables an experimental feature for server-to-server authentication. It does not correctly authenticate remote server certificates, allowing a remote server to impersonate another server (when this option is enabled)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-26T10:06:14",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.gentoo.org/glsa/202105-15"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-32919",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Prosody before 0.11.9. The undocumented dialback_without_dialback option in mod_dialback enables an experimental feature for server-to-server authentication. It does not correctly authenticate remote server certificates, allowing a remote server to impersonate another server (when this option is enabled)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.prosody.im/prosody-0.11.9-released/",
"refsource": "MISC",
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"name": "https://security.gentoo.org/glsa/202105-15",
"refsource": "MISC",
"url": "https://security.gentoo.org/glsa/202105-15"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-32919",
"datePublished": "2021-05-13T15:12:19",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:33:55.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-1232 (GCVE-0-2016-1232)
Vulnerability from cvelistv5
Published
2016-01-12 20:00
Modified
2024-08-05 22:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The mod_dialback module in Prosody before 0.9.9 does not properly generate random values for the secret token for server-to-server dialback authentication, which makes it easier for attackers to spoof servers via a brute force attack.
References
| ► | URL | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:48:13.666Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://prosody.im/issues/issue/571"
},
{
"name": "FEDORA-2016-e289f41b76",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html"
},
{
"name": "FEDORA-2016-38e48069f8",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html"
},
{
"name": "DSA-3439",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3439"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.prosody.im/prosody-0-9-9-security-release/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://prosody.im/security/advisory_20160108-2/"
},
{
"name": "[oss-security] 20160108 CVE-2016-1231, CVE-2016-1232: Prosody XMPP server multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/08/5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The mod_dialback module in Prosody before 0.9.9 does not properly generate random values for the secret token for server-to-server dialback authentication, which makes it easier for attackers to spoof servers via a brute force attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-06-01T20:57:01",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://prosody.im/issues/issue/571"
},
{
"name": "FEDORA-2016-e289f41b76",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html"
},
{
"name": "FEDORA-2016-38e48069f8",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html"
},
{
"name": "DSA-3439",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2016/dsa-3439"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.prosody.im/prosody-0-9-9-security-release/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://prosody.im/security/advisory_20160108-2/"
},
{
"name": "[oss-security] 20160108 CVE-2016-1231, CVE-2016-1232: Prosody XMPP server multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/08/5"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2016-1232",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The mod_dialback module in Prosody before 0.9.9 does not properly generate random values for the secret token for server-to-server dialback authentication, which makes it easier for attackers to spoof servers via a brute force attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://prosody.im/issues/issue/571",
"refsource": "CONFIRM",
"url": "https://prosody.im/issues/issue/571"
},
{
"name": "FEDORA-2016-e289f41b76",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html"
},
{
"name": "FEDORA-2016-38e48069f8",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html"
},
{
"name": "DSA-3439",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2016/dsa-3439"
},
{
"name": "http://blog.prosody.im/prosody-0-9-9-security-release/",
"refsource": "CONFIRM",
"url": "http://blog.prosody.im/prosody-0-9-9-security-release/"
},
{
"name": "https://prosody.im/security/advisory_20160108-2/",
"refsource": "CONFIRM",
"url": "https://prosody.im/security/advisory_20160108-2/"
},
{
"name": "[oss-security] 20160108 CVE-2016-1231, CVE-2016-1232: Prosody XMPP server multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/01/08/5"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2016-1232",
"datePublished": "2016-01-12T20:00:00",
"dateReserved": "2015-12-27T00:00:00",
"dateUpdated": "2024-08-05T22:48:13.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32920 (GCVE-0-2021-32920)
Vulnerability from cvelistv5
Published
2021-05-13 15:14
Modified
2024-08-03 23:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests.
References
| ► | URL | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:55.924Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202105-15"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-26T10:06:14",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.gentoo.org/glsa/202105-15"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-32920",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.prosody.im/prosody-0.11.9-released/",
"refsource": "MISC",
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"name": "https://security.gentoo.org/glsa/202105-15",
"refsource": "MISC",
"url": "https://security.gentoo.org/glsa/202105-15"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-32920",
"datePublished": "2021-05-13T15:14:14",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:33:55.924Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-2205 (GCVE-0-2011-2205)
Vulnerability from cvelistv5
Published
2011-06-22 21:00
Modified
2024-08-06 22:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Prosody before 0.8.1 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
References
| ► | URL | Tags | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T22:53:17.209Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.prosody.im/prosody-0-8-1-released/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://hg.prosody.im/0.8/rev/5305a665bdd4"
},
{
"name": "prosody-xml-dos(67884)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67884"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://hg.prosody.im/0.8/rev/ee6a18f10a8d"
},
{
"name": "[oss-security] 20110615 Re: CVE Request: prosody DoS, djabberd external entity injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2011/06/15/5"
},
{
"name": "44852",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/44852"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://prosody.im/doc/release/0.8.1"
},
{
"name": "[oss-security] 20110614 CVE Request: prosody DoS, djabberd external entity injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2011/06/14/6"
},
{
"name": "48125",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/48125"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-06-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Prosody before 0.8.1 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.prosody.im/prosody-0-8-1-released/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://hg.prosody.im/0.8/rev/5305a665bdd4"
},
{
"name": "prosody-xml-dos(67884)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67884"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://hg.prosody.im/0.8/rev/ee6a18f10a8d"
},
{
"name": "[oss-security] 20110615 Re: CVE Request: prosody DoS, djabberd external entity injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2011/06/15/5"
},
{
"name": "44852",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/44852"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://prosody.im/doc/release/0.8.1"
},
{
"name": "[oss-security] 20110614 CVE Request: prosody DoS, djabberd external entity injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2011/06/14/6"
},
{
"name": "48125",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/48125"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2011-2205",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Prosody before 0.8.1 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://blog.prosody.im/prosody-0-8-1-released/",
"refsource": "CONFIRM",
"url": "http://blog.prosody.im/prosody-0-8-1-released/"
},
{
"name": "http://hg.prosody.im/0.8/rev/5305a665bdd4",
"refsource": "CONFIRM",
"url": "http://hg.prosody.im/0.8/rev/5305a665bdd4"
},
{
"name": "prosody-xml-dos(67884)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67884"
},
{
"name": "http://hg.prosody.im/0.8/rev/ee6a18f10a8d",
"refsource": "CONFIRM",
"url": "http://hg.prosody.im/0.8/rev/ee6a18f10a8d"
},
{
"name": "[oss-security] 20110615 Re: CVE Request: prosody DoS, djabberd external entity injection",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2011/06/15/5"
},
{
"name": "44852",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/44852"
},
{
"name": "http://prosody.im/doc/release/0.8.1",
"refsource": "CONFIRM",
"url": "http://prosody.im/doc/release/0.8.1"
},
{
"name": "[oss-security] 20110614 CVE Request: prosody DoS, djabberd external entity injection",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2011/06/14/6"
},
{
"name": "48125",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/48125"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2011-2205",
"datePublished": "2011-06-22T21:00:00",
"dateReserved": "2011-05-31T00:00:00",
"dateUpdated": "2024-08-06T22:53:17.209Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-10847 (GCVE-0-2018-10847)
Vulnerability from cvelistv5
Published
2018-07-30 16:00
Modified
2024-08-05 07:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Prosody did not verify that the virtual host associated with a user session remained the same across stream restarts. A user may authenticate to XMPP host A and migrate their authenticated session to XMPP host B of the same Prosody instance.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:46:47.419Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.prosody.im/1147"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.prosody.im/prosody-0-10-2-security-release/"
},
{
"name": "DSA-4216",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4216"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10847"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://prosody.im/security/advisory_20180531/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "prosody",
"vendor": "[UNKNOWN]",
"versions": [
{
"status": "affected",
"version": "0.10.2"
},
{
"status": "affected",
"version": "0.9.14"
}
]
}
],
"datePublic": "2018-05-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Prosody did not verify that the virtual host associated with a user session remained the same across stream restarts. A user may authenticate to XMPP host A and migrate their authenticated session to XMPP host B of the same Prosody instance."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-592",
"description": "CWE-592",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-31T09:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.prosody.im/1147"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.prosody.im/prosody-0-10-2-security-release/"
},
{
"name": "DSA-4216",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4216"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10847"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://prosody.im/security/advisory_20180531/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2018-10847",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "prosody",
"version": {
"version_data": [
{
"version_value": "0.10.2"
},
{
"version_value": "0.9.14"
}
]
}
}
]
},
"vendor_name": "[UNKNOWN]"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Prosody did not verify that the virtual host associated with a user session remained the same across stream restarts. A user may authenticate to XMPP host A and migrate their authenticated session to XMPP host B of the same Prosody instance."
}
]
},
"impact": {
"cvss": [
[
{
"vectorString": "4.2/CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
]
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-592"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://issues.prosody.im/1147",
"refsource": "CONFIRM",
"url": "https://issues.prosody.im/1147"
},
{
"name": "https://blog.prosody.im/prosody-0-10-2-security-release/",
"refsource": "CONFIRM",
"url": "https://blog.prosody.im/prosody-0-10-2-security-release/"
},
{
"name": "DSA-4216",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4216"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10847",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10847"
},
{
"name": "https://prosody.im/security/advisory_20180531/",
"refsource": "CONFIRM",
"url": "https://prosody.im/security/advisory_20180531/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2018-10847",
"datePublished": "2018-07-30T16:00:00",
"dateReserved": "2018-05-09T00:00:00",
"dateUpdated": "2024-08-05T07:46:47.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-0756 (GCVE-0-2016-0756)
Vulnerability from cvelistv5
Published
2016-01-29 20:00
Modified
2024-08-05 22:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generating dialback keys, which allows remote attackers to spoof XMPP network domains via a crafted stream id and domain name that is included in the target domain as a suffix.
References
| ► | URL | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:30:04.031Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "FEDORA-2016-e2c5111eda",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176796.html"
},
{
"name": "82241",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/82241"
},
{
"name": "FEDORA-2016-5a5c85c5a8",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176914.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://prosody.im/issues/issue/596"
},
{
"name": "[oss-security] 20160127 CVE-2016-0756: Prosody XMPP server: insecure dialback key generation/validation algorithm",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/27/10"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.prosody.im/prosody-0-9-10-released/"
},
{
"name": "DSA-3463",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3463"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://prosody.im/security/advisory_20160127/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generating dialback keys, which allows remote attackers to spoof XMPP network domains via a crafted stream id and domain name that is included in the target domain as a suffix."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-12-02T20:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "FEDORA-2016-e2c5111eda",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176796.html"
},
{
"name": "82241",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/82241"
},
{
"name": "FEDORA-2016-5a5c85c5a8",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176914.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://prosody.im/issues/issue/596"
},
{
"name": "[oss-security] 20160127 CVE-2016-0756: Prosody XMPP server: insecure dialback key generation/validation algorithm",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/27/10"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.prosody.im/prosody-0-9-10-released/"
},
{
"name": "DSA-3463",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2016/dsa-3463"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://prosody.im/security/advisory_20160127/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2016-0756",
"datePublished": "2016-01-29T20:00:00",
"dateReserved": "2015-12-16T00:00:00",
"dateUpdated": "2024-08-05T22:30:04.031Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0217 (GCVE-0-2022-0217)
Vulnerability from cvelistv5
Published
2022-08-26 17:25
Modified
2024-08-02 23:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-776 - - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion'), CWE-20 - Improper Input Validation.
Summary
It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:42.807Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040639"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://prosody.im/security/advisory_20220113/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://prosody.im/security/advisory_20220113/1.patch"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "prosody",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in prosody 0.11.12, Affects all versions with support for WebSockets."
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611)."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-776",
"description": "CWE-776 - Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027), CWE-20 - Improper Input Validation.",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-26T17:25:47",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040639"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://prosody.im/security/advisory_20220113/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://prosody.im/security/advisory_20220113/1.patch"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2022-0217",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "prosody",
"version": {
"version_data": [
{
"version_value": "Fixed in prosody 0.11.12, Affects all versions with support for WebSockets."
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-776 - Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027), CWE-20 - Improper Input Validation."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=2040639",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040639"
},
{
"name": "https://prosody.im/security/advisory_20220113/",
"refsource": "MISC",
"url": "https://prosody.im/security/advisory_20220113/"
},
{
"name": "https://prosody.im/security/advisory_20220113/1.patch",
"refsource": "MISC",
"url": "https://prosody.im/security/advisory_20220113/1.patch"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2022-0217",
"datePublished": "2022-08-26T17:25:47",
"dateReserved": "2022-01-13T00:00:00",
"dateUpdated": "2024-08-02T23:18:42.807Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-2744 (GCVE-0-2014-2744)
Vulnerability from cvelistv5
Published
2014-04-11 01:00
Modified
2024-08-06 10:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an "xmppbomb" attack.
References
| ► | URL | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:21:36.075Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"
},
{
"name": "DSA-2895",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2014/dsa-2895"
},
{
"name": "57710",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/57710"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://code.lightwitch.org/metronome/rev/49f47277a411"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.prosody.im/prosody-0-9-4-released/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://hg.prosody.im/0.9/rev/b3b1c9da38fb"
},
{
"name": "[oss-security] 20140408 Re: (Openfire M-Link Metronome Prosody Tigase) Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2014/04/09/1"
},
{
"name": "[oss-security] 20140407 Re: Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2014/04/07/7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-04-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an \"xmppbomb\" attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-04-15T12:57:01",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"
},
{
"name": "DSA-2895",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2014/dsa-2895"
},
{
"name": "57710",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/57710"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://code.lightwitch.org/metronome/rev/49f47277a411"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.prosody.im/prosody-0-9-4-released/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://hg.prosody.im/0.9/rev/b3b1c9da38fb"
},
{
"name": "[oss-security] 20140408 Re: (Openfire M-Link Metronome Prosody Tigase) Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2014/04/09/1"
},
{
"name": "[oss-security] 20140407 Re: Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2014/04/07/7"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2014-2744",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an \"xmppbomb\" attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/",
"refsource": "MISC",
"url": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"
},
{
"name": "DSA-2895",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-2895"
},
{
"name": "57710",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/57710"
},
{
"name": "http://code.lightwitch.org/metronome/rev/49f47277a411",
"refsource": "CONFIRM",
"url": "http://code.lightwitch.org/metronome/rev/49f47277a411"
},
{
"name": "http://blog.prosody.im/prosody-0-9-4-released/",
"refsource": "CONFIRM",
"url": "http://blog.prosody.im/prosody-0-9-4-released/"
},
{
"name": "http://hg.prosody.im/0.9/rev/b3b1c9da38fb",
"refsource": "CONFIRM",
"url": "http://hg.prosody.im/0.9/rev/b3b1c9da38fb"
},
{
"name": "[oss-security] 20140408 Re: (Openfire M-Link Metronome Prosody Tigase) Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2014/04/09/1"
},
{
"name": "[oss-security] 20140407 Re: Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2014/04/07/7"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2014-2744",
"datePublished": "2014-04-11T01:00:00",
"dateReserved": "2014-04-08T00:00:00",
"dateUpdated": "2024-08-06T10:21:36.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32921 (GCVE-0-2021-32921)
Vulnerability from cvelistv5
Published
2021-05-13 15:14
Modified
2024-08-03 23:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in Prosody before 0.11.9. It does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:56.162Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202105-15"
},
{
"name": "[debian-lts-announce] 20210616 [SECURITY] [DLA 2687-1] prosody security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html"
},
{
"name": "[debian-lts-announce] 20210619 [SECURITY] [DLA 2687-2] prosody regression update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00018.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Prosody before 0.11.9. It does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-19T08:06:18",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.gentoo.org/glsa/202105-15"
},
{
"name": "[debian-lts-announce] 20210616 [SECURITY] [DLA 2687-1] prosody security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html"
},
{
"name": "[debian-lts-announce] 20210619 [SECURITY] [DLA 2687-2] prosody regression update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00018.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-32921",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Prosody before 0.11.9. It does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.prosody.im/prosody-0.11.9-released/",
"refsource": "MISC",
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"name": "[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"name": "[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"name": "DSA-4916",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"name": "FEDORA-2021-b5d8c6d086",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"name": "FEDORA-2021-a33f6e36e1",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"name": "FEDORA-2021-498be8f560",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"name": "https://security.gentoo.org/glsa/202105-15",
"refsource": "MISC",
"url": "https://security.gentoo.org/glsa/202105-15"
},
{
"name": "[debian-lts-announce] 20210616 [SECURITY] [DLA 2687-1] prosody security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html"
},
{
"name": "[debian-lts-announce] 20210619 [SECURITY] [DLA 2687-2] prosody regression update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00018.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-32921",
"datePublished": "2021-05-13T15:14:43",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:33:56.162Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-2745 (GCVE-0-2014-2745)
Vulnerability from cvelistv5
Published
2014-04-11 01:00
Modified
2024-08-06 10:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Prosody before 0.9.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack, related to core/portmanager.lua and util/xmppstream.lua.
References
| ► | URL | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:21:36.078Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://hg.prosody.im/0.9/rev/a97591d2e1ad"
},
{
"name": "DSA-2895",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2014/dsa-2895"
},
{
"name": "57710",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/57710"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://hg.prosody.im/0.9/rev/1107d66d2ab2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.prosody.im/prosody-0-9-4-released/"
},
{
"name": "[oss-security] 20140408 Re: (Openfire M-Link Metronome Prosody Tigase) Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2014/04/09/1"
},
{
"name": "[oss-security] 20140407 Re: Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2014/04/07/7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-04-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Prosody before 0.9.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an \"xmppbomb\" attack, related to core/portmanager.lua and util/xmppstream.lua."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-04-15T12:57:01",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://hg.prosody.im/0.9/rev/a97591d2e1ad"
},
{
"name": "DSA-2895",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2014/dsa-2895"
},
{
"name": "57710",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/57710"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://hg.prosody.im/0.9/rev/1107d66d2ab2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.prosody.im/prosody-0-9-4-released/"
},
{
"name": "[oss-security] 20140408 Re: (Openfire M-Link Metronome Prosody Tigase) Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2014/04/09/1"
},
{
"name": "[oss-security] 20140407 Re: Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2014/04/07/7"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2014-2745",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Prosody before 0.9.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an \"xmppbomb\" attack, related to core/portmanager.lua and util/xmppstream.lua."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/",
"refsource": "MISC",
"url": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"
},
{
"name": "http://hg.prosody.im/0.9/rev/a97591d2e1ad",
"refsource": "CONFIRM",
"url": "http://hg.prosody.im/0.9/rev/a97591d2e1ad"
},
{
"name": "DSA-2895",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-2895"
},
{
"name": "57710",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/57710"
},
{
"name": "http://hg.prosody.im/0.9/rev/1107d66d2ab2",
"refsource": "CONFIRM",
"url": "http://hg.prosody.im/0.9/rev/1107d66d2ab2"
},
{
"name": "http://blog.prosody.im/prosody-0-9-4-released/",
"refsource": "CONFIRM",
"url": "http://blog.prosody.im/prosody-0-9-4-released/"
},
{
"name": "[oss-security] 20140408 Re: (Openfire M-Link Metronome Prosody Tigase) Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2014/04/09/1"
},
{
"name": "[oss-security] 20140407 Re: Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2014/04/07/7"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2014-2745",
"datePublished": "2014-04-11T01:00:00",
"dateReserved": "2014-04-08T00:00:00",
"dateUpdated": "2024-08-06T10:21:36.078Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-2531 (GCVE-0-2011-2531)
Vulnerability from cvelistv5
Published
2011-06-22 21:00
Modified
2024-09-17 00:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Prosody 0.8.x before 0.8.1, when MySQL is used, assigns an incorrect data type to the value column in certain tables, which might allow remote attackers to cause a denial of service (data truncation) by sending a large amount of data.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T23:08:22.431Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.prosody.im/prosody-0-8-1-released/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://hg.prosody.im/0.8/rev/d2406f0ce8a5"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://hg.prosody.im/0.8/rev/c806a599224a"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://prosody.im/doc/release/0.8.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Prosody 0.8.x before 0.8.1, when MySQL is used, assigns an incorrect data type to the value column in certain tables, which might allow remote attackers to cause a denial of service (data truncation) by sending a large amount of data."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2011-06-22T21:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.prosody.im/prosody-0-8-1-released/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://hg.prosody.im/0.8/rev/d2406f0ce8a5"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://hg.prosody.im/0.8/rev/c806a599224a"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://prosody.im/doc/release/0.8.1"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-2531",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Prosody 0.8.x before 0.8.1, when MySQL is used, assigns an incorrect data type to the value column in certain tables, which might allow remote attackers to cause a denial of service (data truncation) by sending a large amount of data."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://blog.prosody.im/prosody-0-8-1-released/",
"refsource": "CONFIRM",
"url": "http://blog.prosody.im/prosody-0-8-1-released/"
},
{
"name": "http://hg.prosody.im/0.8/rev/d2406f0ce8a5",
"refsource": "CONFIRM",
"url": "http://hg.prosody.im/0.8/rev/d2406f0ce8a5"
},
{
"name": "http://hg.prosody.im/0.8/rev/c806a599224a",
"refsource": "CONFIRM",
"url": "http://hg.prosody.im/0.8/rev/c806a599224a"
},
{
"name": "http://prosody.im/doc/release/0.8.1",
"refsource": "CONFIRM",
"url": "http://prosody.im/doc/release/0.8.1"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2011-2531",
"datePublished": "2011-06-22T21:00:00Z",
"dateReserved": "2011-06-22T00:00:00Z",
"dateUpdated": "2024-09-17T00:10:59.683Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2016-01-12 20:59
Modified
2025-04-12 10:46
Severity ?
Summary
Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) in an unspecified path.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@debian.org | http://blog.prosody.im/prosody-0-9-9-security-release/ | Patch, Vendor Advisory | |
| security@debian.org | http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html | ||
| security@debian.org | http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html | ||
| security@debian.org | http://www.debian.org/security/2016/dsa-3439 | ||
| security@debian.org | http://www.openwall.com/lists/oss-security/2016/01/08/5 | ||
| security@debian.org | https://prosody.im/issues/issue/520 | ||
| security@debian.org | https://prosody.im/security/advisory_20160108-1/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://blog.prosody.im/prosody-0-9-9-security-release/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.debian.org/security/2016/dsa-3439 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/01/08/5 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://prosody.im/issues/issue/520 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://prosody.im/security/advisory_20160108-1/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| fedoraproject | fedora | 22 | |
| fedoraproject | fedora | 23 | |
| prosody | prosody | 0.9.0 | |
| prosody | prosody | 0.9.1 | |
| prosody | prosody | 0.9.2 | |
| prosody | prosody | 0.9.3 | |
| prosody | prosody | 0.9.4 | |
| prosody | prosody | 0.9.5 | |
| prosody | prosody | 0.9.6 | |
| prosody | prosody | 0.9.7 | |
| prosody | prosody | 0.9.8 | |
| debian | debian_linux | 7.0 | |
| debian | debian_linux | 8.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*",
"matchCriteriaId": "253C303A-E577-4488-93E6-68A8DD942C38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*",
"matchCriteriaId": "E79AB8DD-C907-4038-A931-1A5A4CFB6A5B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prosody:prosody:0.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "69BF8C97-A90B-4F1D-9300-F8BF411BDF69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B70430C5-9AA2-46D5-B7DD-ED08CB980F47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "19FFAE24-10BB-4F88-A0BF-105B4B6A702D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "668FF630-38DC-44BF-ACC8-2F519B788175",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.9.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DADDF029-1D55-4B48-B535-BBF677B10C29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.9.5:*:*:*:*:*:*:*",
"matchCriteriaId": "DB07BA0E-AA91-4773-AC6C-63C825D6D114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.9.6:*:*:*:*:*:*:*",
"matchCriteriaId": "A6E8D0F2-485E-441A-94F5-5FEF084B38F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.9.7:*:*:*:*:*:*:*",
"matchCriteriaId": "D2251303-150D-439D-9AE3-A0B61379A0B4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.9.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8B6A57A5-A666-4F09-9618-55C9AFF7383B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) in an unspecified path."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto de directorio en el m\u00f3dulo HTTP file-serving (mod_http_files) en Prosody 0.9.x en versiones anteriores a 0.9.9 permite a atacantes remotos leer archivos arbitrarios a trav\u00e9s de un .. (punto punto) en una ruta no especificada."
}
],
"id": "CVE-2016-1231",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-01-12T20:59:09.167",
"references": [
{
"source": "security@debian.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.prosody.im/prosody-0-9-9-security-release/"
},
{
"source": "security@debian.org",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html"
},
{
"source": "security@debian.org",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html"
},
{
"source": "security@debian.org",
"url": "http://www.debian.org/security/2016/dsa-3439"
},
{
"source": "security@debian.org",
"url": "http://www.openwall.com/lists/oss-security/2016/01/08/5"
},
{
"source": "security@debian.org",
"url": "https://prosody.im/issues/issue/520"
},
{
"source": "security@debian.org",
"tags": [
"Vendor Advisory"
],
"url": "https://prosody.im/security/advisory_20160108-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.prosody.im/prosody-0-9-9-security-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3439"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2016/01/08/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://prosody.im/issues/issue/520"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://prosody.im/security/advisory_20160108-1/"
}
],
"sourceIdentifier": "security@debian.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-13 16:15
Modified
2024-11-21 06:07
Severity ?
Summary
An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2021/05/13/1 | Mailing List, Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2021/05/14/2 | Mailing List, Mitigation, Third Party Advisory | |
| cve@mitre.org | https://blog.prosody.im/prosody-0.11.9-released/ | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/ | ||
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/ | ||
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/ | ||
| cve@mitre.org | https://security.gentoo.org/glsa/202105-15 | Third Party Advisory | |
| cve@mitre.org | https://www.debian.org/security/2021/dsa-4916 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2021/05/13/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2021/05/14/2 | Mailing List, Mitigation, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.prosody.im/prosody-0.11.9-released/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gentoo.org/glsa/202105-15 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2021/dsa-4916 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| prosody | prosody | * | |
| debian | debian_linux | 9.0 | |
| debian | debian_linux | 10.0 | |
| fedoraproject | fedora | 32 | |
| fedoraproject | fedora | 33 | |
| fedoraproject | fedora | 34 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prosody:prosody:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9528D37B-78D0-42FC-AAC3-DB6DE6A4A85B",
"versionEndExcluding": "0.11.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
"matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
"matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
"matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server\u0027s bandwidth."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Prosody versiones anteriores a 0.11.9.\u0026#xa0;El componente proxy65 permite un acceso abierto por defecto, incluso si ninguno de los usuarios tiene una cuenta XMPP en el servidor local, permitiendo el uso sin restricciones del ancho de banda del servidor"
}
],
"id": "CVE-2021-32917",
"lastModified": "2024-11-21T06:07:55.210",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-13T16:15:08.290",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Mitigation",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202105-15"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Mitigation",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202105-15"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-01-12 20:59
Modified
2025-04-12 10:46
Severity ?
Summary
The mod_dialback module in Prosody before 0.9.9 does not properly generate random values for the secret token for server-to-server dialback authentication, which makes it easier for attackers to spoof servers via a brute force attack.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@debian.org | http://blog.prosody.im/prosody-0-9-9-security-release/ | Patch, Vendor Advisory | |
| security@debian.org | http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html | ||
| security@debian.org | http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html | ||
| security@debian.org | http://www.debian.org/security/2016/dsa-3439 | ||
| security@debian.org | http://www.openwall.com/lists/oss-security/2016/01/08/5 | ||
| security@debian.org | https://prosody.im/issues/issue/571 | ||
| security@debian.org | https://prosody.im/security/advisory_20160108-2/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://blog.prosody.im/prosody-0-9-9-security-release/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.debian.org/security/2016/dsa-3439 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/01/08/5 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://prosody.im/issues/issue/571 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://prosody.im/security/advisory_20160108-2/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| prosody | prosody | * | |
| prosody | prosody | 0.9.0 | |
| prosody | prosody | 0.9.1 | |
| prosody | prosody | 0.9.2 | |
| prosody | prosody | 0.9.3 | |
| prosody | prosody | 0.9.4 | |
| prosody | prosody | 0.9.5 | |
| prosody | prosody | 0.9.6 | |
| prosody | prosody | 0.9.7 | |
| fedoraproject | fedora | 22 | |
| fedoraproject | fedora | 23 | |
| debian | debian_linux | 7.0 | |
| debian | debian_linux | 8.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prosody:prosody:*:*:*:*:*:*:*:*",
"matchCriteriaId": "83032BB7-AE53-4E17-90F1-5BA84367BC23",
"versionEndIncluding": "0.9.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "69BF8C97-A90B-4F1D-9300-F8BF411BDF69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B70430C5-9AA2-46D5-B7DD-ED08CB980F47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "19FFAE24-10BB-4F88-A0BF-105B4B6A702D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "668FF630-38DC-44BF-ACC8-2F519B788175",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.9.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DADDF029-1D55-4B48-B535-BBF677B10C29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.9.5:*:*:*:*:*:*:*",
"matchCriteriaId": "DB07BA0E-AA91-4773-AC6C-63C825D6D114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.9.6:*:*:*:*:*:*:*",
"matchCriteriaId": "A6E8D0F2-485E-441A-94F5-5FEF084B38F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.9.7:*:*:*:*:*:*:*",
"matchCriteriaId": "D2251303-150D-439D-9AE3-A0B61379A0B4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*",
"matchCriteriaId": "253C303A-E577-4488-93E6-68A8DD942C38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*",
"matchCriteriaId": "E79AB8DD-C907-4038-A931-1A5A4CFB6A5B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The mod_dialback module in Prosody before 0.9.9 does not properly generate random values for the secret token for server-to-server dialback authentication, which makes it easier for attackers to spoof servers via a brute force attack."
},
{
"lang": "es",
"value": "El m\u00f3dulo mod_dialback en Prosody en versiones anteriores a 0.9.9 no genera adecuadamente valores aleatorios para para el token secreto en la autenticaci\u00f3n de devoluci\u00f3n de llamada de servidor a servidor, lo que hace que sea m\u00e1s f\u00e1cil para atacantes suplantar servidores a trav\u00e9s de un ataque de fuerza bruta."
}
],
"evaluatorComment": "\u003ca href=\"https://cwe.mitre.org/data/definitions/338.html\"\u003eCWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)\u003c/a\u003e",
"id": "CVE-2016-1232",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-01-12T20:59:10.200",
"references": [
{
"source": "security@debian.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.prosody.im/prosody-0-9-9-security-release/"
},
{
"source": "security@debian.org",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html"
},
{
"source": "security@debian.org",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html"
},
{
"source": "security@debian.org",
"url": "http://www.debian.org/security/2016/dsa-3439"
},
{
"source": "security@debian.org",
"url": "http://www.openwall.com/lists/oss-security/2016/01/08/5"
},
{
"source": "security@debian.org",
"url": "https://prosody.im/issues/issue/571"
},
{
"source": "security@debian.org",
"tags": [
"Vendor Advisory"
],
"url": "https://prosody.im/security/advisory_20160108-2/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.prosody.im/prosody-0-9-9-security-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3439"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2016/01/08/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://prosody.im/issues/issue/571"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://prosody.im/security/advisory_20160108-2/"
}
],
"sourceIdentifier": "security@debian.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-06-22 21:55
Modified
2025-04-11 00:51
Severity ?
Summary
Prosody 0.8.x before 0.8.1, when MySQL is used, assigns an incorrect data type to the value column in certain tables, which might allow remote attackers to cause a denial of service (data truncation) by sending a large amount of data.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://blog.prosody.im/prosody-0-8-1-released/ | Patch | |
| cve@mitre.org | http://hg.prosody.im/0.8/rev/c806a599224a | Patch | |
| cve@mitre.org | http://hg.prosody.im/0.8/rev/d2406f0ce8a5 | Patch | |
| cve@mitre.org | http://prosody.im/doc/release/0.8.1 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | http://blog.prosody.im/prosody-0-8-1-released/ | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | http://hg.prosody.im/0.8/rev/c806a599224a | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | http://hg.prosody.im/0.8/rev/d2406f0ce8a5 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | http://prosody.im/doc/release/0.8.1 | Patch |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prosody:prosody:0.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9B894C4E-513C-4AF5-9500-D74F1D8DADA8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Prosody 0.8.x before 0.8.1, when MySQL is used, assigns an incorrect data type to the value column in certain tables, which might allow remote attackers to cause a denial of service (data truncation) by sending a large amount of data."
},
{
"lang": "es",
"value": "Prosody v0.8.x antes de v0.8.1, cuando se usa MySQL, asigna un tipo de datos incorrecto para la columna de valores en algunas tablas, lo que podr\u00eda permitir a atacantes remotos provocar una denegaci\u00f3n de servicio (truncamiento de datos) mediante el env\u00edo de una gran cantidad de datos."
}
],
"id": "CVE-2011-2531",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-06-22T21:55:02.293",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://blog.prosody.im/prosody-0-8-1-released/"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://hg.prosody.im/0.8/rev/c806a599224a"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://hg.prosody.im/0.8/rev/d2406f0ce8a5"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://prosody.im/doc/release/0.8.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://blog.prosody.im/prosody-0-8-1-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://hg.prosody.im/0.8/rev/c806a599224a"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://hg.prosody.im/0.8/rev/d2406f0ce8a5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://prosody.im/doc/release/0.8.1"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-399"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-08-26 18:15
Modified
2024-11-21 06:38
Severity ?
Summary
It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=2040639 | Issue Tracking, Third Party Advisory | |
| secalert@redhat.com | https://prosody.im/security/advisory_20220113/ | Exploit, Patch, Vendor Advisory | |
| secalert@redhat.com | https://prosody.im/security/advisory_20220113/1.patch | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=2040639 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://prosody.im/security/advisory_20220113/ | Exploit, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://prosody.im/security/advisory_20220113/1.patch | Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prosody:prosody:*:*:*:*:*:*:*:*",
"matchCriteriaId": "98D7D5B7-A0FE-4E89-88AA-F7B83ECD4F90",
"versionEndExcluding": "0.11.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611)."
},
{
"lang": "es",
"value": "Se ha detectado que una biblioteca interna de Prosody para cargar XML basada en libexpat no restringe apropiadamente las funcionalidades XML permitidas en los datos XML analizados. Dada la entrada apropiada del atacante, esto resulta en la expansi\u00f3n de referencias de entidades recursivas de DTDs (CWE-776). Adem\u00e1s, dependiendo de la versi\u00f3n de libexpat usada, tambi\u00e9n puede permitir inyecciones usando referencias de entidades externas XML (CWE-611)."
}
],
"id": "CVE-2022-0217",
"lastModified": "2024-11-21T06:38:09.820",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-26T18:15:08.833",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040639"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "https://prosody.im/security/advisory_20220113/"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://prosody.im/security/advisory_20220113/1.patch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040639"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "https://prosody.im/security/advisory_20220113/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://prosody.im/security/advisory_20220113/1.patch"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-776"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-611"
},
{
"lang": "en",
"value": "CWE-776"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-04-11 01:55
Modified
2025-04-12 10:46
Severity ?
Summary
plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an "xmppbomb" attack.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@debian.org | http://blog.prosody.im/prosody-0-9-4-released/ | Vendor Advisory | |
| security@debian.org | http://code.lightwitch.org/metronome/rev/49f47277a411 | Exploit, Patch | |
| security@debian.org | http://hg.prosody.im/0.9/rev/b3b1c9da38fb | Exploit, Patch | |
| security@debian.org | http://openwall.com/lists/oss-security/2014/04/07/7 | ||
| security@debian.org | http://openwall.com/lists/oss-security/2014/04/09/1 | ||
| security@debian.org | http://secunia.com/advisories/57710 | ||
| security@debian.org | http://www.debian.org/security/2014/dsa-2895 | ||
| security@debian.org | http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://blog.prosody.im/prosody-0-9-4-released/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://code.lightwitch.org/metronome/rev/49f47277a411 | Exploit, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | http://hg.prosody.im/0.9/rev/b3b1c9da38fb | Exploit, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | http://openwall.com/lists/oss-security/2014/04/07/7 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://openwall.com/lists/oss-security/2014/04/09/1 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://secunia.com/advisories/57710 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.debian.org/security/2014/dsa-2895 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/ |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lightwitch | metronome | * | |
| prosody | prosody | * | |
| prosody | prosody | 0.1.0 | |
| prosody | prosody | 0.2.0 | |
| prosody | prosody | 0.3.0 | |
| prosody | prosody | 0.4.0 | |
| prosody | prosody | 0.4.1 | |
| prosody | prosody | 0.4.2 | |
| prosody | prosody | 0.5.0 | |
| prosody | prosody | 0.5.1 | |
| prosody | prosody | 0.5.2 | |
| prosody | prosody | 0.6.0 | |
| prosody | prosody | 0.6.1 | |
| prosody | prosody | 0.6.2 | |
| prosody | prosody | 0.7.0 | |
| prosody | prosody | 0.8.0 | |
| prosody | prosody | 0.8.1 | |
| prosody | prosody | 0.8.2 | |
| prosody | prosody | 0.9.0 | |
| prosody | prosody | 0.9.1 | |
| prosody | prosody | 0.9.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lightwitch:metronome:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B9EEE202-6A1C-4F03-AB6B-0055E44AC19C",
"versionEndIncluding": "3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prosody:prosody:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B3BC00F6-770F-4A75-956D-981D54265EA2",
"versionEndIncluding": "0.9.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CAFD513E-D824-4A56-ACAC-C80D253D238E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "66CADDFD-351C-4785-AA25-F15482563A0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0EEB6D2F-91DF-452F-B93C-7E27B7F9AE3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3C7C9A3A-25B6-4EFA-BFF0-B3EA4BE50D55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "3849A36E-AE3C-4A64-A267-455E7DFA23FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "BE46CE5D-C648-497C-9B9D-7053E57206ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "72D503F4-503A-427E-8601-DC58ABF87556",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "27B91228-E7DC-460A-9BB7-AEBB0DB6EF1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "641B719B-2739-4E1E-9BE1-B4082D8D85BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "20E34C61-6749-4DDC-A9E0-50A96430CEA0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "817100C0-4FCC-4DDE-8B4D-670854BEA3CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "2445AF7B-643F-4436-BAB7-17027762A016",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "14F2E897-2B3F-4435-8BAC-87CF347C9AB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9B894C4E-513C-4AF5-9500-D74F1D8DADA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B853EF1C-DC87-44FA-A4F0-AACE918F3F56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.8.2:*:*:*:*:*:*:*",
"matchCriteriaId": "79A5214A-FEB7-44CA-9F56-BC23A39C7990",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "69BF8C97-A90B-4F1D-9300-F8BF411BDF69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B70430C5-9AA2-46D5-B7DD-ED08CB980F47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "19FFAE24-10BB-4F88-A0BF-105B4B6A702D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an \"xmppbomb\" attack."
},
{
"lang": "es",
"value": "plugins/mod_compression.lua en (1) Prosody anterior a 0.9.4 y (2) Lightwitch Metronome hasta 3.4 negocia compresi\u00f3n de cadena mientras una sesi\u00f3n no est\u00e1 autenticada, lo que permite a atacantes remotos causar una denegaci\u00f3n de servicio (consumo de recursos) a trav\u00e9s de elementos XML comprimidos en una cadena XMPP, tambi\u00e9n conocido como un ataque \"xmppbomb\"."
}
],
"id": "CVE-2014-2744",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-04-11T01:55:06.663",
"references": [
{
"source": "security@debian.org",
"tags": [
"Vendor Advisory"
],
"url": "http://blog.prosody.im/prosody-0-9-4-released/"
},
{
"source": "security@debian.org",
"tags": [
"Exploit",
"Patch"
],
"url": "http://code.lightwitch.org/metronome/rev/49f47277a411"
},
{
"source": "security@debian.org",
"tags": [
"Exploit",
"Patch"
],
"url": "http://hg.prosody.im/0.9/rev/b3b1c9da38fb"
},
{
"source": "security@debian.org",
"url": "http://openwall.com/lists/oss-security/2014/04/07/7"
},
{
"source": "security@debian.org",
"url": "http://openwall.com/lists/oss-security/2014/04/09/1"
},
{
"source": "security@debian.org",
"url": "http://secunia.com/advisories/57710"
},
{
"source": "security@debian.org",
"url": "http://www.debian.org/security/2014/dsa-2895"
},
{
"source": "security@debian.org",
"url": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://blog.prosody.im/prosody-0-9-4-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "http://code.lightwitch.org/metronome/rev/49f47277a411"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "http://hg.prosody.im/0.9/rev/b3b1c9da38fb"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2014/04/07/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2014/04/09/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/57710"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2014/dsa-2895"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"
}
],
"sourceIdentifier": "security@debian.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-01-29 20:59
Modified
2025-04-12 10:46
Severity ?
Summary
The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generating dialback keys, which allows remote attackers to spoof XMPP network domains via a crafted stream id and domain name that is included in the target domain as a suffix.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://blog.prosody.im/prosody-0-9-10-released/ | Patch, Vendor Advisory | |
| secalert@redhat.com | http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176796.html | ||
| secalert@redhat.com | http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176914.html | ||
| secalert@redhat.com | http://www.debian.org/security/2016/dsa-3463 | ||
| secalert@redhat.com | http://www.openwall.com/lists/oss-security/2016/01/27/10 | ||
| secalert@redhat.com | http://www.securityfocus.com/bid/82241 | ||
| secalert@redhat.com | https://prosody.im/issues/issue/596 | ||
| secalert@redhat.com | https://prosody.im/security/advisory_20160127/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://blog.prosody.im/prosody-0-9-10-released/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176796.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176914.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.debian.org/security/2016/dsa-3463 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/01/27/10 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/82241 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://prosody.im/issues/issue/596 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://prosody.im/security/advisory_20160127/ | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prosody:prosody:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7335EF0B-26AC-4407-880D-9A92F5D5D722",
"versionEndIncluding": "0.9.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generating dialback keys, which allows remote attackers to spoof XMPP network domains via a crafted stream id and domain name that is included in the target domain as a suffix."
},
{
"lang": "es",
"value": "La funci\u00f3n generate_dialback en el m\u00f3dulo mod_dialback en Prosody en versiones anteriores a 0.9.10 no separa campos correctamente cuando genera claves de devoluci\u00f3n de llamada, lo que permite a atacantes remotos suplantar dominios de red XMPP a trav\u00e9s de una identidad de flujo y un nombre de dominio manipulados que est\u00e1n incluidos en el dominio objetivo como un sufijo."
}
],
"id": "CVE-2016-0756",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-01-29T20:59:06.560",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.prosody.im/prosody-0-9-10-released/"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176796.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176914.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2016/dsa-3463"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2016/01/27/10"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/82241"
},
{
"source": "secalert@redhat.com",
"url": "https://prosody.im/issues/issue/596"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://prosody.im/security/advisory_20160127/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.prosody.im/prosody-0-9-10-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176796.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176914.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3463"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2016/01/27/10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/82241"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://prosody.im/issues/issue/596"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://prosody.im/security/advisory_20160127/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-13 16:15
Modified
2024-11-21 06:07
Severity ?
Summary
An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2021/05/13/1 | Mailing List, Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2021/05/14/2 | Mailing List, Mitigation, Third Party Advisory | |
| cve@mitre.org | https://blog.prosody.im/prosody-0.11.9-released/ | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/ | ||
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/ | ||
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/ | ||
| cve@mitre.org | https://security.gentoo.org/glsa/202105-15 | Third Party Advisory | |
| cve@mitre.org | https://www.debian.org/security/2021/dsa-4916 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2021/05/13/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2021/05/14/2 | Mailing List, Mitigation, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.prosody.im/prosody-0.11.9-released/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gentoo.org/glsa/202105-15 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2021/dsa-4916 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| prosody | prosody | * | |
| lua | lua | 5.2.0 | |
| lua | lua | 5.3.0 | |
| debian | debian_linux | 10.0 | |
| fedoraproject | fedora | 32 | |
| fedoraproject | fedora | 33 | |
| fedoraproject | fedora | 34 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prosody:prosody:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9528D37B-78D0-42FC-AAC3-DB6DE6A4A85B",
"versionEndExcluding": "0.11.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lua:lua:5.2.0:-:*:*:*:*:*:*",
"matchCriteriaId": "F41B4A37-B7E5-4405-B5EA-5F1832AF02E7",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:lua:lua:5.3.0:-:*:*:*:*:*:*",
"matchCriteriaId": "6820CE33-926F-477F-A99E-153E88BD5248",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
"matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
"matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
"matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Prosody versiones anteriores a 0.11.9.\u0026#xa0;La configuraci\u00f3n predeterminada es susceptible a ataques remotos de denegaci\u00f3n de servicio (DoS) no autenticados por medio del agotamiento de la memoria cuando se ejecuta bajo Lua versiones 5.2 o Lua 5.3"
}
],
"id": "CVE-2021-32918",
"lastModified": "2024-11-21T06:07:55.377",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-13T16:15:08.317",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Mitigation",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202105-15"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Mitigation",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202105-15"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-06-22 21:55
Modified
2025-04-11 00:51
Severity ?
Summary
Prosody before 0.8.1 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://blog.prosody.im/prosody-0-8-1-released/ | Patch | |
| secalert@redhat.com | http://hg.prosody.im/0.8/rev/5305a665bdd4 | Patch | |
| secalert@redhat.com | http://hg.prosody.im/0.8/rev/ee6a18f10a8d | Patch | |
| secalert@redhat.com | http://prosody.im/doc/release/0.8.1 | Patch | |
| secalert@redhat.com | http://secunia.com/advisories/44852 | Vendor Advisory | |
| secalert@redhat.com | http://www.openwall.com/lists/oss-security/2011/06/14/6 | ||
| secalert@redhat.com | http://www.openwall.com/lists/oss-security/2011/06/15/5 | ||
| secalert@redhat.com | http://www.securityfocus.com/bid/48125 | ||
| secalert@redhat.com | https://exchange.xforce.ibmcloud.com/vulnerabilities/67884 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://blog.prosody.im/prosody-0-8-1-released/ | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | http://hg.prosody.im/0.8/rev/5305a665bdd4 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | http://hg.prosody.im/0.8/rev/ee6a18f10a8d | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | http://prosody.im/doc/release/0.8.1 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | http://secunia.com/advisories/44852 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2011/06/14/6 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2011/06/15/5 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/48125 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/67884 |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| prosody | prosody | * | |
| prosody | prosody | 0.1.0 | |
| prosody | prosody | 0.2.0 | |
| prosody | prosody | 0.3.0 | |
| prosody | prosody | 0.4.0 | |
| prosody | prosody | 0.4.1 | |
| prosody | prosody | 0.4.2 | |
| prosody | prosody | 0.5.0 | |
| prosody | prosody | 0.5.1 | |
| prosody | prosody | 0.5.2 | |
| prosody | prosody | 0.6 | |
| prosody | prosody | 0.6.0 | |
| prosody | prosody | 0.6.1 | |
| prosody | prosody | 0.7 | |
| prosody | prosody | 0.7.0 | |
| prosody | prosody | 0.8 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prosody:prosody:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B041054D-2DDE-4CAA-8127-D54084BC46F7",
"versionEndIncluding": "0.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CAFD513E-D824-4A56-ACAC-C80D253D238E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "66CADDFD-351C-4785-AA25-F15482563A0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0EEB6D2F-91DF-452F-B93C-7E27B7F9AE3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3C7C9A3A-25B6-4EFA-BFF0-B3EA4BE50D55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "3849A36E-AE3C-4A64-A267-455E7DFA23FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "BE46CE5D-C648-497C-9B9D-7053E57206ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "72D503F4-503A-427E-8601-DC58ABF87556",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "27B91228-E7DC-460A-9BB7-AEBB0DB6EF1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "641B719B-2739-4E1E-9BE1-B4082D8D85BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "2D355198-545E-4E09-AA63-A75DBC7BDC95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "20E34C61-6749-4DDC-A9E0-50A96430CEA0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "817100C0-4FCC-4DDE-8B4D-670854BEA3CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "0341BC4C-F4E9-4270-9BAB-733A4BC8FF34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "14F2E897-2B3F-4435-8BAC-87CF347C9AB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "9AC268E7-EF55-412A-94CD-939D1F690164",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Prosody before 0.8.1 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564."
},
{
"lang": "es",
"value": "Prosody antes de v0.8.1 no detecta correctamente la recursividad durante la expansi\u00f3n de la entidad, lo que permite a atacantes remotos provocar una denegaci\u00f3n de servicio (consumo de memoria y CPU) a trav\u00e9s de un documento XML manipulado que contiene un gran n\u00famero de referencias a entidades anidadas, un problema similar a CVE-2003-1564."
}
],
"id": "CVE-2011-2205",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-06-22T21:55:01.700",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://blog.prosody.im/prosody-0-8-1-released/"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://hg.prosody.im/0.8/rev/5305a665bdd4"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://hg.prosody.im/0.8/rev/ee6a18f10a8d"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://prosody.im/doc/release/0.8.1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/44852"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2011/06/14/6"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2011/06/15/5"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/48125"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67884"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://blog.prosody.im/prosody-0-8-1-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://hg.prosody.im/0.8/rev/5305a665bdd4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://hg.prosody.im/0.8/rev/ee6a18f10a8d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://prosody.im/doc/release/0.8.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/44852"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2011/06/14/6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2011/06/15/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/48125"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67884"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-399"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-13 16:15
Modified
2024-11-21 06:07
Severity ?
Summary
An issue was discovered in Prosody before 0.11.9. The undocumented dialback_without_dialback option in mod_dialback enables an experimental feature for server-to-server authentication. It does not correctly authenticate remote server certificates, allowing a remote server to impersonate another server (when this option is enabled).
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2021/05/13/1 | Mailing List, Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2021/05/14/2 | Mailing List, Mitigation, Third Party Advisory | |
| cve@mitre.org | https://blog.prosody.im/prosody-0.11.9-released/ | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/ | ||
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/ | ||
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/ | ||
| cve@mitre.org | https://security.gentoo.org/glsa/202105-15 | Third Party Advisory | |
| cve@mitre.org | https://www.debian.org/security/2021/dsa-4916 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2021/05/13/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2021/05/14/2 | Mailing List, Mitigation, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.prosody.im/prosody-0.11.9-released/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gentoo.org/glsa/202105-15 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2021/dsa-4916 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| prosody | prosody | * | |
| debian | debian_linux | 10.0 | |
| fedoraproject | fedora | 32 | |
| fedoraproject | fedora | 33 | |
| fedoraproject | fedora | 34 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prosody:prosody:*:*:*:*:*:*:*:*",
"matchCriteriaId": "044D31C3-CD7C-42EE-82DC-891F29A808D2",
"versionEndExcluding": "0.11.9",
"versionStartIncluding": "0.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
"matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
"matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
"matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Prosody before 0.11.9. The undocumented dialback_without_dialback option in mod_dialback enables an experimental feature for server-to-server authentication. It does not correctly authenticate remote server certificates, allowing a remote server to impersonate another server (when this option is enabled)."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Prosody versiones anteriores a 0.11.9.\u0026#xa0;La opci\u00f3n no documentada dialback_without_dialback en la funci\u00f3n mod_dialback habilita una funcionalidad experimental para la autenticaci\u00f3n de servidor a servidor.\u0026#xa0;No autentica correctamente los certificados de servidor remoto, permitiendo que un servidor remoto suplante a otro servidor (cuando esta opci\u00f3n est\u00e1 habilitada)"
}
],
"id": "CVE-2021-32919",
"lastModified": "2024-11-21T06:07:55.527",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-13T16:15:08.347",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Mitigation",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202105-15"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Mitigation",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202105-15"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-06-22 21:55
Modified
2025-04-11 00:51
Severity ?
Summary
The json.decode function in util/json.lua in Prosody 0.8.x before 0.8.1 might allow remote attackers to cause a denial of service (infinite loop) via invalid JSON data, as demonstrated by truncated data.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://blog.prosody.im/prosody-0-8-1-released/ | Patch | |
| cve@mitre.org | http://hg.prosody.im/0.8/rev/20979f124ad9 | Patch | |
| cve@mitre.org | http://prosody.im/doc/release/0.8.1 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | http://blog.prosody.im/prosody-0-8-1-released/ | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | http://hg.prosody.im/0.8/rev/20979f124ad9 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | http://prosody.im/doc/release/0.8.1 | Patch |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prosody:prosody:0.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9B894C4E-513C-4AF5-9500-D74F1D8DADA8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The json.decode function in util/json.lua in Prosody 0.8.x before 0.8.1 might allow remote attackers to cause a denial of service (infinite loop) via invalid JSON data, as demonstrated by truncated data."
},
{
"lang": "es",
"value": "La funci\u00f3n json.decode en util/json.lua en Prosody v0.8.x antes de v0.8.1 podr\u00eda permitir a atacantes remotos provocar una denegaci\u00f3n de servicio (bucle infinito) a trav\u00e9s de datos no v\u00e1lidos JSON, como como se demostr\u00f3 con datos truncados."
}
],
"id": "CVE-2011-2532",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-06-22T21:55:02.357",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://blog.prosody.im/prosody-0-8-1-released/"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://hg.prosody.im/0.8/rev/20979f124ad9"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://prosody.im/doc/release/0.8.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://blog.prosody.im/prosody-0-8-1-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://hg.prosody.im/0.8/rev/20979f124ad9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://prosody.im/doc/release/0.8.1"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-399"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-13 16:15
Modified
2024-11-21 06:07
Severity ?
Summary
An issue was discovered in Prosody before 0.11.9. It does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2021/05/13/1 | Mailing List, Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2021/05/14/2 | Mailing List, Mitigation, Third Party Advisory | |
| cve@mitre.org | https://blog.prosody.im/prosody-0.11.9-released/ | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://lists.debian.org/debian-lts-announce/2021/06/msg00018.html | Third Party Advisory | |
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/ | ||
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/ | ||
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/ | ||
| cve@mitre.org | https://security.gentoo.org/glsa/202105-15 | Third Party Advisory | |
| cve@mitre.org | https://www.debian.org/security/2021/dsa-4916 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2021/05/13/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2021/05/14/2 | Mailing List, Mitigation, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.prosody.im/prosody-0.11.9-released/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2021/06/msg00018.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gentoo.org/glsa/202105-15 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2021/dsa-4916 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| prosody | prosody | * | |
| lua | lua | * | |
| fedoraproject | fedora | 32 | |
| fedoraproject | fedora | 33 | |
| fedoraproject | fedora | 34 | |
| debian | debian_linux | 9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prosody:prosody:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9528D37B-78D0-42FC-AAC3-DB6DE6A4A85B",
"versionEndExcluding": "0.11.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lua:lua:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FE24D4A8-0798-4FE3-9B13-DBF7EBCE9336",
"versionStartIncluding": "5.2.0",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
"matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
"matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
"matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Prosody before 0.11.9. It does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Prosody versiones anteriores a 0.11.9.\u0026#xa0;No utiliza un algoritmo de tiempo constante para comparar determinadas cadenas secretas cuando se ejecuta bajo Lua versiones 5.2 o posteriores.\u0026#xa0;Esto puede potencialmente ser usado en un ataque de sincronizaci\u00f3n para revelar el contenido de cadenas secretas a un atacante"
}
],
"id": "CVE-2021-32921",
"lastModified": "2024-11-21T06:07:55.843",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-13T16:15:08.407",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Mitigation",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00018.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202105-15"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Mitigation",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00018.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202105-15"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-362"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-04-11 01:55
Modified
2025-04-12 10:46
Severity ?
Summary
Prosody before 0.9.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack, related to core/portmanager.lua and util/xmppstream.lua.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@debian.org | http://blog.prosody.im/prosody-0-9-4-released/ | ||
| security@debian.org | http://hg.prosody.im/0.9/rev/1107d66d2ab2 | ||
| security@debian.org | http://hg.prosody.im/0.9/rev/a97591d2e1ad | ||
| security@debian.org | http://openwall.com/lists/oss-security/2014/04/07/7 | ||
| security@debian.org | http://openwall.com/lists/oss-security/2014/04/09/1 | ||
| security@debian.org | http://secunia.com/advisories/57710 | ||
| security@debian.org | http://www.debian.org/security/2014/dsa-2895 | ||
| security@debian.org | http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://blog.prosody.im/prosody-0-9-4-released/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://hg.prosody.im/0.9/rev/1107d66d2ab2 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://hg.prosody.im/0.9/rev/a97591d2e1ad | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://openwall.com/lists/oss-security/2014/04/07/7 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://openwall.com/lists/oss-security/2014/04/09/1 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://secunia.com/advisories/57710 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.debian.org/security/2014/dsa-2895 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/ |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| prosody | prosody | * | |
| prosody | prosody | 0.1.0 | |
| prosody | prosody | 0.2.0 | |
| prosody | prosody | 0.3.0 | |
| prosody | prosody | 0.4.0 | |
| prosody | prosody | 0.4.1 | |
| prosody | prosody | 0.4.2 | |
| prosody | prosody | 0.5.0 | |
| prosody | prosody | 0.5.1 | |
| prosody | prosody | 0.5.2 | |
| prosody | prosody | 0.6.0 | |
| prosody | prosody | 0.6.1 | |
| prosody | prosody | 0.6.2 | |
| prosody | prosody | 0.7.0 | |
| prosody | prosody | 0.8.0 | |
| prosody | prosody | 0.8.1 | |
| prosody | prosody | 0.8.2 | |
| prosody | prosody | 0.9.0 | |
| prosody | prosody | 0.9.1 | |
| prosody | prosody | 0.9.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prosody:prosody:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B3BC00F6-770F-4A75-956D-981D54265EA2",
"versionEndIncluding": "0.9.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CAFD513E-D824-4A56-ACAC-C80D253D238E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "66CADDFD-351C-4785-AA25-F15482563A0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0EEB6D2F-91DF-452F-B93C-7E27B7F9AE3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3C7C9A3A-25B6-4EFA-BFF0-B3EA4BE50D55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "3849A36E-AE3C-4A64-A267-455E7DFA23FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "BE46CE5D-C648-497C-9B9D-7053E57206ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "72D503F4-503A-427E-8601-DC58ABF87556",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "27B91228-E7DC-460A-9BB7-AEBB0DB6EF1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "641B719B-2739-4E1E-9BE1-B4082D8D85BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "20E34C61-6749-4DDC-A9E0-50A96430CEA0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "817100C0-4FCC-4DDE-8B4D-670854BEA3CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "2445AF7B-643F-4436-BAB7-17027762A016",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "14F2E897-2B3F-4435-8BAC-87CF347C9AB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9B894C4E-513C-4AF5-9500-D74F1D8DADA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B853EF1C-DC87-44FA-A4F0-AACE918F3F56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.8.2:*:*:*:*:*:*:*",
"matchCriteriaId": "79A5214A-FEB7-44CA-9F56-BC23A39C7990",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "69BF8C97-A90B-4F1D-9300-F8BF411BDF69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B70430C5-9AA2-46D5-B7DD-ED08CB980F47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "19FFAE24-10BB-4F88-A0BF-105B4B6A702D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Prosody before 0.9.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an \"xmppbomb\" attack, related to core/portmanager.lua and util/xmppstream.lua."
},
{
"lang": "es",
"value": "Prosody anterior a 0.9.4 no restringe debidamente el procesamiento de elementos XML comprimidos, lo que permite a atacantes remotos causar una denegaci\u00f3n de servicio (consumo de recursos) a trav\u00e9s de una cadena XMPP manipulada, tambi\u00e9n conocido como una ataque \"xmppbomb\", relacionado con core/portmanager.lua y util/xmppstream.lua."
}
],
"id": "CVE-2014-2745",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-04-11T01:55:06.693",
"references": [
{
"source": "security@debian.org",
"url": "http://blog.prosody.im/prosody-0-9-4-released/"
},
{
"source": "security@debian.org",
"url": "http://hg.prosody.im/0.9/rev/1107d66d2ab2"
},
{
"source": "security@debian.org",
"url": "http://hg.prosody.im/0.9/rev/a97591d2e1ad"
},
{
"source": "security@debian.org",
"url": "http://openwall.com/lists/oss-security/2014/04/07/7"
},
{
"source": "security@debian.org",
"url": "http://openwall.com/lists/oss-security/2014/04/09/1"
},
{
"source": "security@debian.org",
"url": "http://secunia.com/advisories/57710"
},
{
"source": "security@debian.org",
"url": "http://www.debian.org/security/2014/dsa-2895"
},
{
"source": "security@debian.org",
"url": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://blog.prosody.im/prosody-0-9-4-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://hg.prosody.im/0.9/rev/1107d66d2ab2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://hg.prosody.im/0.9/rev/a97591d2e1ad"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2014/04/07/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2014/04/09/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/57710"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2014/dsa-2895"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"
}
],
"sourceIdentifier": "security@debian.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-07-30 17:29
Modified
2024-11-21 03:42
Severity ?
4.2 (Medium) - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Prosody did not verify that the virtual host associated with a user session remained the same across stream restarts. A user may authenticate to XMPP host A and migrate their authenticated session to XMPP host B of the same Prosody instance.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://blog.prosody.im/prosody-0-10-2-security-release/ | Vendor Advisory | |
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10847 | Issue Tracking, Third Party Advisory | |
| secalert@redhat.com | https://issues.prosody.im/1147 | Vendor Advisory | |
| secalert@redhat.com | https://prosody.im/security/advisory_20180531/ | Vendor Advisory | |
| secalert@redhat.com | https://www.debian.org/security/2018/dsa-4216 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.prosody.im/prosody-0-10-2-security-release/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10847 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.prosody.im/1147 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://prosody.im/security/advisory_20180531/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2018/dsa-4216 | Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prosody:prosody:*:*:*:*:*:*:*:*",
"matchCriteriaId": "90B92A75-7D90-4FFD-B7B9-6C44497593F7",
"versionEndExcluding": "0.9.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6D1B1718-33AD-458E-BAEC-A00F0FB43D4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prosody:prosody:0.10.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9455CF02-1156-4FD4-B286-36D20414466C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Prosody did not verify that the virtual host associated with a user session remained the same across stream restarts. A user may authenticate to XMPP host A and migrate their authenticated session to XMPP host B of the same Prosody instance."
},
{
"lang": "es",
"value": "Prosody, en versiones anteriores a la 0.10.2 y 0.9.14, es vulnerable a una omisi\u00f3n de autenticaci\u00f3n. Prosody no verific\u00f3 que el host virtual asociado a una sesi\u00f3n de usuario se mantuviese igual durante los reinicios del flujo. Un usuario podr\u00eda autenticarse en el host XMPP A y migrar su sesi\u00f3n autenticada al host XMPP B de la misma instancia Prosody."
}
],
"id": "CVE-2018-10847",
"lastModified": "2024-11-21T03:42:08.087",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 2.5,
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-07-30T17:29:00.147",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://blog.prosody.im/prosody-0-10-2-security-release/"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10847"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.prosody.im/1147"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://prosody.im/security/advisory_20180531/"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2018/dsa-4216"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://blog.prosody.im/prosody-0-10-2-security-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10847"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.prosody.im/1147"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://prosody.im/security/advisory_20180531/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2018/dsa-4216"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-592"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-13 16:15
Modified
2024-11-21 06:07
Severity ?
Summary
Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2021/05/13/1 | Mailing List, Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2021/05/14/2 | Mailing List, Mitigation, Third Party Advisory | |
| cve@mitre.org | https://blog.prosody.im/prosody-0.11.9-released/ | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/ | ||
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/ | ||
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/ | ||
| cve@mitre.org | https://security.gentoo.org/glsa/202105-15 | Third Party Advisory | |
| cve@mitre.org | https://www.debian.org/security/2021/dsa-4916 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2021/05/13/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2021/05/14/2 | Mailing List, Mitigation, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.prosody.im/prosody-0.11.9-released/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gentoo.org/glsa/202105-15 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2021/dsa-4916 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| prosody | prosody | * | |
| debian | debian_linux | 10.0 | |
| fedoraproject | fedora | 32 | |
| fedoraproject | fedora | 33 | |
| fedoraproject | fedora | 34 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prosody:prosody:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9528D37B-78D0-42FC-AAC3-DB6DE6A4A85B",
"versionEndExcluding": "0.11.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
"matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
"matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
"matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests."
},
{
"lang": "es",
"value": "Prosody versiones anteriores a 0.11.9, permite un Consumo No Controlado de CPU por medio de una avalancha de peticiones de renegociaci\u00f3n SSL/TLS"
}
],
"id": "CVE-2021-32920",
"lastModified": "2024-11-21T06:07:55.683",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-13T16:15:08.377",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Mitigation",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202105-15"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Mitigation",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.prosody.im/prosody-0.11.9-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202105-15"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4916"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-05-09 17:29
Modified
2024-11-21 03:19
Severity ?
Summary
Prosody before 0.10.0 allows remote attackers to cause a denial of service (application crash), related to an incompatibility with certain versions of the LuaSocket library, such as the lua-socket package from Debian stretch. The attacker needs to trigger a stream error. A crash can be observed in, for example, the c2s module.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://bugs.debian.org/875829 | Issue Tracking, Mailing List | |
| cve@mitre.org | https://hg.prosody.im/0.9/rev/176b7f4e4ac9 | Patch | |
| cve@mitre.org | https://hg.prosody.im/0.9/rev/adfffc5b4e2a | Patch | |
| cve@mitre.org | https://prosody.im/issues/issue/987 | Vendor Advisory | |
| cve@mitre.org | https://www.debian.org/security/2018/dsa-4198 | Technical Description | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugs.debian.org/875829 | Issue Tracking, Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hg.prosody.im/0.9/rev/176b7f4e4ac9 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hg.prosody.im/0.9/rev/adfffc5b4e2a | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://prosody.im/issues/issue/987 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2018/dsa-4198 | Technical Description |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| prosody | prosody | * | |
| debian | debian_linux | 9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prosody:prosody:*:*:*:*:*:*:*:*",
"matchCriteriaId": "74F219C3-EABA-407F-BBD6-65C8381B2238",
"versionEndExcluding": "0.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Prosody before 0.10.0 allows remote attackers to cause a denial of service (application crash), related to an incompatibility with certain versions of the LuaSocket library, such as the lua-socket package from Debian stretch. The attacker needs to trigger a stream error. A crash can be observed in, for example, the c2s module."
},
{
"lang": "es",
"value": "Prosody en versiones anteriores a la 0.10.0 permite que atacantes remotos provoquen una denegaci\u00f3n de servicio (cierre inesperado de la aplicaci\u00f3n). Esto est\u00e1 relacionado con una incompatibilidad con ciertas versiones de la biblioteca LuaSocket, como el paquete lua-socket de Debian stretch. El atacante necesita desencadenar un error de stream. Se puede observar un cierre inesperado, por ejemplo, en el m\u00f3dulo c2s."
}
],
"id": "CVE-2017-18265",
"lastModified": "2024-11-21T03:19:43.317",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-05-09T17:29:00.227",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Mailing List"
],
"url": "https://bugs.debian.org/875829"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://hg.prosody.im/0.9/rev/176b7f4e4ac9"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://hg.prosody.im/0.9/rev/adfffc5b4e2a"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://prosody.im/issues/issue/987"
},
{
"source": "cve@mitre.org",
"tags": [
"Technical Description"
],
"url": "https://www.debian.org/security/2018/dsa-4198"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Mailing List"
],
"url": "https://bugs.debian.org/875829"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://hg.prosody.im/0.9/rev/176b7f4e4ac9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://hg.prosody.im/0.9/rev/adfffc5b4e2a"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://prosody.im/issues/issue/987"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Technical Description"
],
"url": "https://www.debian.org/security/2018/dsa-4198"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-30 14:15
Modified
2024-11-21 06:15
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
muc.lib.lua in Prosody 0.11.0 through 0.11.9 allows remote attackers to obtain sensitive information (list of admins, members, owners, and banned entities of a Multi-User chat room) in some common configurations.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2021/07/28/4 | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7BZRRPCNOETB4MN4XSYPRBBKDIHO27DY/ | ||
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EMKIOEP2CYWHVVUCNWISPE4AGH4IR7O2/ | ||
| cve@mitre.org | https://prosody.im/ | Exploit, Product | |
| cve@mitre.org | https://prosody.im/security/advisory_20210722/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2021/07/28/4 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7BZRRPCNOETB4MN4XSYPRBBKDIHO27DY/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EMKIOEP2CYWHVVUCNWISPE4AGH4IR7O2/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://prosody.im/ | Exploit, Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://prosody.im/security/advisory_20210722/ | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prosody:prosody:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DBE5855B-66AA-4464-B516-233E0CA6205B",
"versionEndIncluding": "0.11.9",
"versionStartIncluding": "0.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "muc.lib.lua in Prosody 0.11.0 through 0.11.9 allows remote attackers to obtain sensitive information (list of admins, members, owners, and banned entities of a Multi-User chat room) in some common configurations."
},
{
"lang": "es",
"value": "El archivo muc.lib.lua en Prosody versiones 0.11.0 hasta 0.11.9, permite a atacantes remotos obtener informaci\u00f3n confidencial (lista de administradores, miembros, propietarios y entidades prohibidas de una sala de chat multiusuario) en algunas configuraciones comunes"
}
],
"id": "CVE-2021-37601",
"lastModified": "2024-11-21T06:15:30.267",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-30T14:15:18.767",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/07/28/4"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7BZRRPCNOETB4MN4XSYPRBBKDIHO27DY/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EMKIOEP2CYWHVVUCNWISPE4AGH4IR7O2/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Product"
],
"url": "https://prosody.im/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://prosody.im/security/advisory_20210722/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/07/28/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7BZRRPCNOETB4MN4XSYPRBBKDIHO27DY/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EMKIOEP2CYWHVVUCNWISPE4AGH4IR7O2/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Product"
],
"url": "https://prosody.im/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://prosody.im/security/advisory_20210722/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}