CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2017-18225 – Gentoo Linux Security Advisory 201803-07
https://notcve.org/view.php?id=CVE-2017-18225
12 Mar 2018 — The Gentoo net-im/jabberd2 package through 2.6.1 installs jabberd, jabberd2-c2s, jabberd2-router, jabberd2-s2s, and jabberd2-sm in /usr/bin owned by the jabber account, which might allow local users to gain privileges by leveraging access to this account and then waiting for root to execute one of these programs. El paquete net-im/jabberd2 de Gentoo, hasta la versión 2.6.1, instala jabberd, jabberd2-c2s, jabberd2-router, jabberd2-s2s y jabberd2-sm en /usr/bin, propiedad de la cuenta jabber. Esto podría perm... • https://bugs.gentoo.org/629412 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2017-18226 – Gentoo Linux Security Advisory 201803-07
https://notcve.org/view.php?id=CVE-2017-18226
12 Mar 2018 — The Gentoo net-im/jabberd2 package through 2.6.1 sets the ownership of /var/run/jabber to the jabber account, which might allow local users to kill arbitrary processes by leveraging access to this account for PID file modification before a root script executes a "kill -TERM `cat /var/run/jabber/filename.pid`" command. El paquete net-im/jabberd2 de Gentoo, hasta la versión 2.6.1, establece la propiedad de /var/run/jabber en la cuenta jabber, lo que podría permitir que usuarios locales finalicen procesos arbi... • https://bugs.gentoo.org/631068 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2017-10807 – Gentoo Linux Security Advisory 201803-07
https://notcve.org/view.php?id=CVE-2017-10807
04 Jul 2017 — JabberD 2.x (aka jabberd2) before 2.6.1 allows anyone to authenticate using SASL ANONYMOUS, even when the sasl.anonymous c2s.xml option is not enabled. Las versiones 2.x de JabberD (también conocidas como jabberd2) anteriores a la 2.6.1 permiten que cualquiera pueda autenticarse empleando SASL ANONYMOUS, incluso cuando la opción sasl.anonymous en c2s.xml no está habilitada. Multiple vulnerabilities have been found in Gentoo's JabberD 2.x ebuild, the worst of which allows local attackers to escalate privileg... • http://www.debian.org/security/2017/dsa-3902 • CWE-287: Improper Authentication •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2015-2058
https://notcve.org/view.php?id=CVE-2015-2058
12 Aug 2015 — c2s/c2s.c in Jabber Open Source Server 2.3.2 and earlier truncates data without ensuring it remains valid UTF-8, which allows remote authenticated users to read system memory or possibly have other unspecified impact via a crafted JID. Vulnerabilidad en c2s/c2s.c en Jabber Open Source Server 2.3.2 y versiones anteriores trunca datos sin asegurarse de que sigue siendo UTF-8 válido, lo que permite a usuarios remotos autenticados leer la memoria del sistema o posiblemente tener otro impacto no especificado a t... • http://www.openwall.com/lists/oss-security/2015/02/09/13 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.1EPSS: 1%CPEs: 43EXPL: 1CVE-2012-3525 – jabberd: Prone to unsolicited XMPP Dialback attacks
https://notcve.org/view.php?id=CVE-2012-3525
25 Aug 2012 — s2s/out.c in jabberd2 2.2.16 and earlier does not verify that a request was made for an XMPP Server Dialback response, which allows remote XMPP servers to spoof domains via a (1) Verify Response or (2) Authorization Response. s2s/out.c en jabberd2 v2.2.16 y anteriores no comprueba que se presente una solicitud para una respuesta XMPP Server Dialback, lo que permite a servidores remotos de XMPP falsificar dominios a través (1) Verify Response o (2) Authorization Response. • http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 5%CPEs: 8EXPL: 0CVE-2011-1755 – jabberd: DoS via the XML "billion laughs attack"
https://notcve.org/view.php?id=CVE-2011-1755
21 Jun 2011 — jabberd2 before 2.2.14 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. jabberd2 antes de v2.2.14 no detecta correctamente la recursividad durante la expansión de la entidad, lo que permite a atacantes remotos provocar una denegación de servicio ( consumo de memoria y CPU ) a través de un documen... • http://codex.xiaoka.com/svn/jabberd2/tags/jabberd-2.2.14/ChangeLog • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •