CVE-2021-32918
https://notcve.org/view.php?id=CVE-2021-32918
An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3. Se detectó un problema en Prosody versiones anteriores a 0.11.9. La configuración predeterminada es susceptible a ataques remotos de denegación de servicio (DoS) no autenticados por medio del agotamiento de la memoria cuando se ejecuta bajo Lua versiones 5.2 o Lua 5.3 • http://www.openwall.com/lists/oss-security/2021/05/13/1 http://www.openwall.com/lists/oss-security/2021/05/14/2 https://blog.prosody.im/prosody-0.11.9-released https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN2 • CWE-400: Uncontrolled Resource Consumption •
CVE-2021-32917
https://notcve.org/view.php?id=CVE-2021-32917
An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth. Se detectó un problema en Prosody versiones anteriores a 0.11.9. El componente proxy65 permite un acceso abierto por defecto, incluso si ninguno de los usuarios tiene una cuenta XMPP en el servidor local, permitiendo el uso sin restricciones del ancho de banda del servidor • http://www.openwall.com/lists/oss-security/2021/05/13/1 http://www.openwall.com/lists/oss-security/2021/05/14/2 https://blog.prosody.im/prosody-0.11.9-released https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7 https://lists.fedoraproject.org& • CWE-862: Missing Authorization •
CVE-2020-8086
https://notcve.org/view.php?id=CVE-2020-8086
The mod_auth_ldap and mod_auth_ldap2 Community Modules through 2020-01-27 for Prosody incompletely verify the XMPP address passed to the is_admin() function. This grants remote entities admin-only functionality if their username matches the username of a local admin. Los Módulos de Comunidad mod_auth_ldap y mod_auth_ldap2 hasta el 27-01-2020 para Prosody, verifican de forma incompleta la dirección XMPP pasada a la función is_admin(). Esto otorga a las entidades remotas una funcionalidad admin-only si su nombre de usuario coincide con el nombre de usuario de un administrador local. • https://hg.prosody.im/prosody-modules/log/tip/mod_auth_ldap/mod_auth_ldap.lua https://hg.prosody.im/prosody-modules/log/tip/mod_auth_ldap2/mod_auth_ldap2.lua https://prosody.im/security/advisory_20200128 https://seclists.org/bugtraq/2020/Feb/5 https://www.debian.org/security/2020/dsa-4612 • CWE-863: Incorrect Authorization •
CVE-2018-10847
https://notcve.org/view.php?id=CVE-2018-10847
prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Prosody did not verify that the virtual host associated with a user session remained the same across stream restarts. A user may authenticate to XMPP host A and migrate their authenticated session to XMPP host B of the same Prosody instance. Prosody, en versiones anteriores a la 0.10.2 y 0.9.14, es vulnerable a una omisión de autenticación. Prosody no verificó que el host virtual asociado a una sesión de usuario se mantuviese igual durante los reinicios del flujo. • https://blog.prosody.im/prosody-0-10-2-security-release https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10847 https://issues.prosody.im/1147 https://prosody.im/security/advisory_20180531 https://www.debian.org/security/2018/dsa-4216 • CWE-287: Improper Authentication CWE-592: DEPRECATED: Authentication Bypass Issues •
CVE-2017-18265
https://notcve.org/view.php?id=CVE-2017-18265
Prosody before 0.10.0 allows remote attackers to cause a denial of service (application crash), related to an incompatibility with certain versions of the LuaSocket library, such as the lua-socket package from Debian stretch. The attacker needs to trigger a stream error. A crash can be observed in, for example, the c2s module. Prosody en versiones anteriores a la 0.10.0 permite que atacantes remotos provoquen una denegación de servicio (cierre inesperado de la aplicación). Esto está relacionado con una incompatibilidad con ciertas versiones de la biblioteca LuaSocket, como el paquete lua-socket de Debian stretch. • https://bugs.debian.org/875829 https://hg.prosody.im/0.9/rev/176b7f4e4ac9 https://hg.prosody.im/0.9/rev/adfffc5b4e2a https://prosody.im/issues/issue/987 https://www.debian.org/security/2018/dsa-4198 •