CVE-2017-18225
https://notcve.org/view.php?id=CVE-2017-18225
The Gentoo net-im/jabberd2 package through 2.6.1 installs jabberd, jabberd2-c2s, jabberd2-router, jabberd2-s2s, and jabberd2-sm in /usr/bin owned by the jabber account, which might allow local users to gain privileges by leveraging access to this account and then waiting for root to execute one of these programs. El paquete net-im/jabberd2 de Gentoo, hasta la versión 2.6.1, instala jabberd, jabberd2-c2s, jabberd2-router, jabberd2-s2s y jabberd2-sm en /usr/bin, propiedad de la cuenta jabber. Esto podría permitir que usuarios locales obtengan privilegios aprovechando el acceso a esta cuenta y esperando a que root ejecute uno de estos programas. • https://bugs.gentoo.org/629412 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2017-18226
https://notcve.org/view.php?id=CVE-2017-18226
The Gentoo net-im/jabberd2 package through 2.6.1 sets the ownership of /var/run/jabber to the jabber account, which might allow local users to kill arbitrary processes by leveraging access to this account for PID file modification before a root script executes a "kill -TERM `cat /var/run/jabber/filename.pid`" command. El paquete net-im/jabberd2 de Gentoo, hasta la versión 2.6.1, establece la propiedad de /var/run/jabber en la cuenta jabber, lo que podría permitir que usuarios locales finalicen procesos arbitrarios aprovechando el acceso a esta cuenta para modificar archivos PID antes de que un script root ejecute un comando "kill -TERM `cat /var/run/jabber/filename.pid`" • https://bugs.gentoo.org/631068 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2017-10807
https://notcve.org/view.php?id=CVE-2017-10807
JabberD 2.x (aka jabberd2) before 2.6.1 allows anyone to authenticate using SASL ANONYMOUS, even when the sasl.anonymous c2s.xml option is not enabled. Las versiones 2.x de JabberD (también conocidas como jabberd2) anteriores a la 2.6.1 permiten que cualquiera pueda autenticarse empleando SASL ANONYMOUS, incluso cuando la opción sasl.anonymous en c2s.xml no está habilitada. • http://www.debian.org/security/2017/dsa-3902 http://www.securityfocus.com/bid/99511 https://bugs.debian.org/867032 https://github.com/jabberd2/jabberd2/commit/8416ae54ecefa670534f27a31db71d048b9c7f16 https://github.com/jabberd2/jabberd2/releases/tag/jabberd-2.6.1 • CWE-287: Improper Authentication •
CVE-2015-2058
https://notcve.org/view.php?id=CVE-2015-2058
c2s/c2s.c in Jabber Open Source Server 2.3.2 and earlier truncates data without ensuring it remains valid UTF-8, which allows remote authenticated users to read system memory or possibly have other unspecified impact via a crafted JID. Vulnerabilidad en c2s/c2s.c en Jabber Open Source Server 2.3.2 y versiones anteriores trunca datos sin asegurarse de que sigue siendo UTF-8 válido, lo que permite a usuarios remotos autenticados leer la memoria del sistema o posiblemente tener otro impacto no especificado a través de un JID manipulado. • http://www.openwall.com/lists/oss-security/2015/02/09/13 http://www.openwall.com/lists/oss-security/2015/02/23/25 http://www.securityfocus.com/bid/72731 https://github.com/jabberd2/jabberd2/issues/85 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2012-3525 – jabberd: Prone to unsolicited XMPP Dialback attacks
https://notcve.org/view.php?id=CVE-2012-3525
s2s/out.c in jabberd2 2.2.16 and earlier does not verify that a request was made for an XMPP Server Dialback response, which allows remote XMPP servers to spoof domains via a (1) Verify Response or (2) Authorization Response. s2s/out.c en jabberd2 v2.2.16 y anteriores no comprueba que se presente una solicitud para una respuesta XMPP Server Dialback, lo que permite a servidores remotos de XMPP falsificar dominios a través (1) Verify Response o (2) Authorization Response. • http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html http://rhn.redhat.com/errata/RHSA-2012-1538.html http://rhn.redhat.com/errata/RHSA-2012-1539.html http://secunia.com/advisories/50124 http://secunia.com/advisories/50859 http://www.mail-archive.com/jabberd2%40lists.xiaoka.com/msg01903.html http://www.openwall.com/lists/oss-security/2012/08/22/5 http://www.openwall.com/lists/oss-security/2012/08/22/6 http://www.securityfocus.com/bid/55167 http& • CWE-20: Improper Input Validation •