VYPR
← All advisories
High severityOSV Advisory· Published Feb 4, 2019· Updated Aug 5, 2024

CVE-2019-1000021

CVE-2019-1000021

Description

Slixmpp before 1.4.2 incorrectly allows all contacts to read private PEP data due to a missing access control setting in the XEP-0223 plugin.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Slixmpp before 1.4.2 incorrectly allows all contacts to read private PEP data due to a missing access control setting in the XEP-0223 plugin.

Vulnerability

Slixmpp before commit 7cd73b594e8122dddf847953fcfc85ab4d316416 (fixed in version 1.4.2) contains an access control vulnerability in its XEP-0223 plugin for Persistent Storage of Private Data via PubSub [1]. The publish-options profile used to configure the default access model is not enforced, so PEP nodes meant to store private data (e.g., bookmarks) are created with a permissive default access model instead of being restricted to the owner only [1][2].

Exploitation

An attacker who is a contact of the victim need only be subscribed to the victim's PEP notifications or query the node directly. If the victim publishes any private data to a PEP node without explicitly setting the node to private, the attacker can retrieve that data. No special authentication or credentials beyond being a contact are required [1][2].

Impact

Successful exploitation results in the disclosure of private data – such as bookmarks, passwords, or other sensitive information stored via PEP – to all of the victim's contacts. The data is not modified, nor is arbitrary code execution achieved; the impact is purely a confidentiality breach [1][2].

Mitigation

Slixmmp 1.4.2, which includes commit 7cd73b594e8122dddf847953fcfc85ab4d316416, fixes the issue [2][3]. Users should upgrade to version 1.4.2 or later. No workaround is documented; users on earlier versions must avoid publishing private data to PEP nodes without ensuring the node is explicitly configured with a private access model [1]. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of February 2025.

References
  1. Persistent Storage of Private Data via PubSub
  2. NVD - CVE-2019-1000021
  3. GitHub - poezio/slixmpp: SleekXMPP fork using asyncio, for poezio - Github copy

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
slixmppPyPI
< 1.4.21.4.2

Affected products

4

Patches

1
7cd73b594e81

XEP-0223: Fix default access_model, it MUST be whitelist.

https://github.com/poezio/slixmppEmmanuel Gil PeyrotJan 17, 2019via ghsa
commit
1 file changed · +1 1
  • slixmpp/plugins/xep_0223.py+1 1 modified
    @@ -26,7 +26,7 @@ class XEP_0223(BasePlugin):
     dependencies = {'xep_0163', 'xep_0060', 'xep_0004'}
 
     profile = {'pubsub#persist_items': True,
-               'pubsub#send_last_published_item': 'never'}
+               'pubsub#access_model': 'whitelist'}
 
     def configure(self, node, ifrom=None, callback=None, timeout=None):
         """

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.