CVE-2022-0217
https://notcve.org/view.php?id=CVE-2022-0217
It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611). Se ha detectado que una biblioteca interna de Prosody para cargar XML basada en libexpat no restringe apropiadamente las funcionalidades XML permitidas en los datos XML analizados. Dada la entrada apropiada del atacante, esto resulta en la expansión de referencias de entidades recursivas de DTDs (CWE-776). • https://bugzilla.redhat.com/show_bug.cgi?id=2040639 https://prosody.im/security/advisory_20220113 https://prosody.im/security/advisory_20220113/1.patch • CWE-611: Improper Restriction of XML External Entity Reference CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •
CVE-2021-32921
https://notcve.org/view.php?id=CVE-2021-32921
An issue was discovered in Prosody before 0.11.9. It does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker. Se detectó un problema en Prosody versiones anteriores a 0.11.9. No utiliza un algoritmo de tiempo constante para comparar determinadas cadenas secretas cuando se ejecuta bajo Lua versiones 5.2 o posteriores. • http://www.openwall.com/lists/oss-security/2021/05/13/1 http://www.openwall.com/lists/oss-security/2021/05/14/2 https://blog.prosody.im/prosody-0.11.9-released https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html https://lists.debian.org/debian-lts-announce/2021/06/msg00018.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2021-32920
https://notcve.org/view.php?id=CVE-2021-32920
Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests. Prosody versiones anteriores a 0.11.9, permite un Consumo No Controlado de CPU por medio de una avalancha de peticiones de renegociación SSL/TLS • http://www.openwall.com/lists/oss-security/2021/05/13/1 http://www.openwall.com/lists/oss-security/2021/05/14/2 https://blog.prosody.im/prosody-0.11.9-released https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN2 •
CVE-2021-32919
https://notcve.org/view.php?id=CVE-2021-32919
An issue was discovered in Prosody before 0.11.9. The undocumented dialback_without_dialback option in mod_dialback enables an experimental feature for server-to-server authentication. It does not correctly authenticate remote server certificates, allowing a remote server to impersonate another server (when this option is enabled). Se detectó un problema en Prosody versiones anteriores a 0.11.9. La opción no documentada dialback_without_dialback en la función mod_dialback habilita una funcionalidad experimental para la autenticación de servidor a servidor. • http://www.openwall.com/lists/oss-security/2021/05/13/1 http://www.openwall.com/lists/oss-security/2021/05/14/2 https://blog.prosody.im/prosody-0.11.9-released https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN2 • CWE-295: Improper Certificate Validation •
CVE-2021-32918
https://notcve.org/view.php?id=CVE-2021-32918
An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3. Se detectó un problema en Prosody versiones anteriores a 0.11.9. La configuración predeterminada es susceptible a ataques remotos de denegación de servicio (DoS) no autenticados por medio del agotamiento de la memoria cuando se ejecuta bajo Lua versiones 5.2 o Lua 5.3 • http://www.openwall.com/lists/oss-security/2021/05/13/1 http://www.openwall.com/lists/oss-security/2021/05/14/2 https://blog.prosody.im/prosody-0.11.9-released https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN2 • CWE-400: Uncontrolled Resource Consumption •