CVE-2014-2741
Gentoo Linux Security Advisory 201406-35
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
nio/XMLLightweightParser.java in Ignite Realtime Openfire before 3.9.2 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack.
El archivo nio/XMLLightweightParser.java en Ignite Realtime Openfire anterior a versión 3.9.2, no restringe apropiadamente el procesamiento de elementos XML comprimidos, lo que permite a los atacantes remotos causar una denegación de servicio (consumo de recursos) por medio de una secuencia XMPP diseñada, también conocido como ataque "xmppbomb" .
Multiple vulnerabilities have been found in Openfire, the worst of which could lead to a Denial of Service condition. Versions less than 3.9.2-r1 are affected.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2014-04-08 CVE Reserved
- 2014-04-11 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-264: Permissions, Privileges, and Access Controls
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| http://community.igniterealtime.org/thread/52317 | X_refsource_confirm | |
| http://fisheye.igniterealtime.org/changelog/openfiregit?cs=3aec383e07ee893b77396fe946766bbd3758af77 | X_refsource_confirm | |
| http://openwall.com/lists/oss-security/2014/04/07/7 | Mailing List | |
| http://openwall.com/lists/oss-security/2014/04/09/1 | Mailing List | |
| http://www.kb.cert.org/vuls/id/495476 | Third Party Advisory |
|
| http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas | X_refsource_misc |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Igniterealtime Search vendor "Igniterealtime" | Openfire Search vendor "Igniterealtime" for product "Openfire" | <= 3.9.1 Search vendor "Igniterealtime" for product "Openfire" and version " <= 3.9.1" | - |
Affected
| ||||||