CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0217
https://notcve.org/view.php?id=CVE-2022-0217
It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611). Se ha detectado que una biblioteca interna de Prosody para cargar XML basada en libexpat no restringe apropiadamente las funcionalidades XML permitidas en los datos XML analizados. Dada la entrada apropiada del atacante, esto resulta en la expansión de referencias de entidades recursivas de DTDs (CWE-776). • https://bugzilla.redhat.com/show_bug.cgi?id=2040639 https://prosody.im/security/advisory_20220113 https://prosody.im/security/advisory_20220113/1.patch • CWE-611: Improper Restriction of XML External Entity Reference CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •
CVSS: 5.9EPSS: 0%CPEs: 6EXPL: 0CVE-2021-32921
https://notcve.org/view.php?id=CVE-2021-32921
An issue was discovered in Prosody before 0.11.9. It does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker. Se detectó un problema en Prosody versiones anteriores a 0.11.9. No utiliza un algoritmo de tiempo constante para comparar determinadas cadenas secretas cuando se ejecuta bajo Lua versiones 5.2 o posteriores. • http://www.openwall.com/lists/oss-security/2021/05/13/1 http://www.openwall.com/lists/oss-security/2021/05/14/2 https://blog.prosody.im/prosody-0.11.9-released https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html https://lists.debian.org/debian-lts-announce/2021/06/msg00018.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2021-32920
https://notcve.org/view.php?id=CVE-2021-32920
Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests. Prosody versiones anteriores a 0.11.9, permite un Consumo No Controlado de CPU por medio de una avalancha de peticiones de renegociación SSL/TLS • http://www.openwall.com/lists/oss-security/2021/05/13/1 http://www.openwall.com/lists/oss-security/2021/05/14/2 https://blog.prosody.im/prosody-0.11.9-released https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN2 •
CVSS: 7.5EPSS: 1%CPEs: 7EXPL: 0CVE-2021-32918
https://notcve.org/view.php?id=CVE-2021-32918
An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3. Se detectó un problema en Prosody versiones anteriores a 0.11.9. La configuración predeterminada es susceptible a ataques remotos de denegación de servicio (DoS) no autenticados por medio del agotamiento de la memoria cuando se ejecuta bajo Lua versiones 5.2 o Lua 5.3 • http://www.openwall.com/lists/oss-security/2021/05/13/1 http://www.openwall.com/lists/oss-security/2021/05/14/2 https://blog.prosody.im/prosody-0.11.9-released https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN2 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2021-32917
https://notcve.org/view.php?id=CVE-2021-32917
An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth. Se detectó un problema en Prosody versiones anteriores a 0.11.9. El componente proxy65 permite un acceso abierto por defecto, incluso si ninguno de los usuarios tiene una cuenta XMPP en el servidor local, permitiendo el uso sin restricciones del ancho de banda del servidor • http://www.openwall.com/lists/oss-security/2021/05/13/1 http://www.openwall.com/lists/oss-security/2021/05/14/2 https://blog.prosody.im/prosody-0.11.9-released https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7 https://lists.fedoraproject.org& • CWE-862: Missing Authorization •