rpm package
opensuse/prosody&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/prosody&distro=openSUSE%20Tumbleweed
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-0217 | — | < 0.11.12-1.1 | 0.11.12-1.1 | Aug 26, 2022 | It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depen | ||
| CVE-2021-37601 | — | < 0.11.10-1.2 | 0.11.10-1.2 | Jul 28, 2021 | muc.lib.lua in Prosody 0.11.0 through 0.11.9 allows remote attackers to obtain sensitive information (list of admins, members, owners, and banned entities of a Multi-User chat room) in some common configurations. | ||
| CVE-2021-32920 | — | < 0.11.10-1.2 | 0.11.10-1.2 | May 13, 2021 | Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests. | ||
| CVE-2021-32919 | — | < 0.11.10-1.2 | 0.11.10-1.2 | May 13, 2021 | An issue was discovered in Prosody before 0.11.9. The undocumented dialback_without_dialback option in mod_dialback enables an experimental feature for server-to-server authentication. It does not correctly authenticate remote server certificates, allowing a remote server to impe | ||
| CVE-2021-32918 | — | < 0.11.10-1.2 | 0.11.10-1.2 | May 13, 2021 | An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3. | ||
| CVE-2021-32917 | — | < 0.11.10-1.2 | 0.11.10-1.2 | May 13, 2021 | An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth. | ||
| CVE-2016-0756 | Med | 5.3 | < 0.9.11-1.1 | 0.9.11-1.1 | Jan 29, 2016 | The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generating dialback keys, which allows remote attackers to spoof XMPP network domains via a crafted stream id and domain name that is included in the target d | |
| CVE-2016-1232 | Hig | 7.5 | < 0.9.11-1.1 | 0.9.11-1.1 | Jan 12, 2016 | The mod_dialback module in Prosody before 0.9.9 does not properly generate random values for the secret token for server-to-server dialback authentication, which makes it easier for attackers to spoof servers via a brute force attack. | |
| CVE-2016-1231 | Med | 5.9 | < 0.9.11-1.1 | 0.9.11-1.1 | Jan 12, 2016 | Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) in an unspecified path. |
- CVE-2022-0217Aug 26, 2022affected < 0.11.12-1.1fixed 0.11.12-1.1
It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depen
- CVE-2021-37601Jul 28, 2021affected < 0.11.10-1.2fixed 0.11.10-1.2
muc.lib.lua in Prosody 0.11.0 through 0.11.9 allows remote attackers to obtain sensitive information (list of admins, members, owners, and banned entities of a Multi-User chat room) in some common configurations.
- CVE-2021-32920May 13, 2021affected < 0.11.10-1.2fixed 0.11.10-1.2
Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests.
- CVE-2021-32919May 13, 2021affected < 0.11.10-1.2fixed 0.11.10-1.2
An issue was discovered in Prosody before 0.11.9. The undocumented dialback_without_dialback option in mod_dialback enables an experimental feature for server-to-server authentication. It does not correctly authenticate remote server certificates, allowing a remote server to impe
- CVE-2021-32918May 13, 2021affected < 0.11.10-1.2fixed 0.11.10-1.2
An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3.
- CVE-2021-32917May 13, 2021affected < 0.11.10-1.2fixed 0.11.10-1.2
An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth.
- affected < 0.9.11-1.1fixed 0.9.11-1.1
The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generating dialback keys, which allows remote attackers to spoof XMPP network domains via a crafted stream id and domain name that is included in the target d
- affected < 0.9.11-1.1fixed 0.9.11-1.1
The mod_dialback module in Prosody before 0.9.9 does not properly generate random values for the secret token for server-to-server dialback authentication, which makes it easier for attackers to spoof servers via a brute force attack.
- affected < 0.9.11-1.1fixed 0.9.11-1.1
Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) in an unspecified path.