A denial-of-service vulnerability
has been reported in Prosody, a XMPP server. If compression is enabled, an
attacker might send highly-compressed XML elements (attack known as zip bomb)
over XMPP streams and consume all the resources of the server.
The SAX XML parser lua-expat is also affected by this issues.
{"id": "OPENVAS:1361412562310702895", "type": "openvas", "bulletinFamily": "scanner", "title": "Debian Security Advisory DSA 2895-1 (prosody - security update)", "description": "A denial-of-service vulnerability\nhas been reported in Prosody, a XMPP server. If compression is enabled, an\nattacker might send highly-compressed XML elements (attack known as zip bomb)\nover XMPP streams and consume all the resources of the server.\n\nThe SAX XML parser lua-expat is also affected by this issues.", "published": "2014-04-06T00:00:00", "modified": "2019-03-18T00:00:00", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310702895", "reporter": "Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net", "references": ["http://www.debian.org/security/2014/dsa-2895.html"], "cvelist": ["CVE-2014-2745", "CVE-2014-2744"], "lastseen": "2019-05-29T18:37:43", "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-2744", "CVE-2014-2745", "CVE-2014-2750"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2895-2:0AC35"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2014-2744", "DEBIANCVE:CVE-2014-2745"]}, {"type": "fedora", "idList": ["FEDORA:21666220DC"]}, {"type": "nessus", "idList": ["FEDORA_2014-5586.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310867743", "OPENVAS:702895", "OPENVAS:867743"]}, {"type": "osv", "idList": ["OSV:DSA-2895-1"]}, {"type": "seebug", "idList": ["SSV:62128"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2014-2744", "UB:CVE-2014-2745"]}]}, "score": {"value": 0.0, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2014-2744", "CVE-2014-2745"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2014-2745"]}, {"type": "nessus", "idList": ["FEDORA_2014-5586.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:702895"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2014-2744"]}]}, "exploitation": null, "vulnersScore": 0.0}, "pluginID": "1361412562310702895", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2895.nasl 14277 2019-03-18 14:45:38Z cfischer $\n# Auto-generated from advisory DSA 2895-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.702895\");\n script_version(\"$Revision: 14277 $\");\n script_cve_id(\"CVE-2014-2744\", \"CVE-2014-2745\");\n script_name(\"Debian Security Advisory DSA 2895-1 (prosody - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:45:38 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-04-06 00:00:00 +0200 (Sun, 06 Apr 2014)\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2014/dsa-2895.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n script_tag(name:\"affected\", value:\"prosody on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (wheezy),\nthis problem has been fixed in version 0.8.2-4+deb7u1 of prosody.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 0.9.4-1 of prosody.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 1.2.0-5+deb7u1 of lua-expat.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.3.0-1 lua-expat.\n\nWe recommend that you upgrade your prosody and lua-expat packages.\");\n script_tag(name:\"summary\", value:\"A denial-of-service vulnerability\nhas been reported in Prosody, a XMPP server. If compression is enabled, an\nattacker might send highly-compressed XML elements (attack known as zip bomb)\nover XMPP streams and consume all the resources of the server.\n\nThe SAX XML parser lua-expat is also affected by this issues.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n script_tag(name:\"qod_type\", value:\"package\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"prosody\", ver:\"0.8.2-4+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "naslFamily": "Debian Local Security Checks", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1660004461, "score": 1660009887}, "_internal": {"score_hash": "27fa74e40dba2342b34f9d6db181a543"}}
{"debian": [{"lastseen": "2021-11-30T12:16:07", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2895-2 security@debian.org\nhttp://www.debian.org/security/ Luciano Bello\nApril 21, 2014 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : prosody\nCVE ID : CVE-2014-2744 CVE-2014-2745\nDebian Bug : 743836\n\nThe update for prosody in DSA 2895 caused a regression when a client \nlogins with the compression functionality activated. This update corrects\nthat problem. For reference, the original advisory text follows.\n\nA denial-of-service vulnerability has been reported in Prosody, a XMPP \nserver. If compression is enabled, an attacker might send highly-com-\npressed XML elements (attack known as "zip bomb") over XMPP streams and \nconsume all the resources of the server.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 0.8.2-4+deb7u2 of prosody.\n\nWe recommend that you upgrade your prosody package.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {}, "published": "2014-04-20T23:42:59", "type": "debian", "title": "[SECURITY] [DSA 2895-2] prosody regression update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2744", "CVE-2014-2745"], "modified": "2014-04-20T23:42:59", "id": "DEBIAN:DSA-2895-2:0AC35", "href": "https://lists.debian.org/debian-security-announce/2014/msg00087.html", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:37:44", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2014-05-05T00:00:00", "type": "openvas", "title": "Fedora Update for prosody FEDORA-2014-5586", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-2745", "CVE-2014-2744"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310867743", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867743", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for prosody FEDORA-2014-5586\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867743\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-05-05 11:12:38 +0530 (Mon, 05 May 2014)\");\n script_cve_id(\"CVE-2014-2745\", \"CVE-2014-2744\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_name(\"Fedora Update for prosody FEDORA-2014-5586\");\n script_tag(name:\"affected\", value:\"prosody on Fedora 19\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-5586\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-May/132426.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'prosody'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC19\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"prosody\", rpm:\"prosody~0.8.2~11.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2017-07-25T10:48:57", "description": "Check for the Version of prosody", "cvss3": {}, "published": "2014-05-05T00:00:00", "type": "openvas", "title": "Fedora Update for prosody FEDORA-2014-5586", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-2745", "CVE-2014-2744"], "modified": "2017-07-10T00:00:00", "id": "OPENVAS:867743", "href": "http://plugins.openvas.org/nasl.php?oid=867743", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for prosody FEDORA-2014-5586\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(867743);\n script_version(\"$Revision: 6629 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:33:41 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-05-05 11:12:38 +0530 (Mon, 05 May 2014)\");\n script_cve_id(\"CVE-2014-2745\", \"CVE-2014-2744\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_name(\"Fedora Update for prosody FEDORA-2014-5586\");\n\n tag_insight = \"Prosody is a flexible communications server for Jabber/XMPP written in Lua.\nIt aims to be easy to use, and light on resources. For developers it aims\nto be easy to extend and give a flexible system on which to rapidly\ndevelop added functionality, or prototype new protocols.\n\";\n\n tag_affected = \"prosody on Fedora 19\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2014-5586\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2014-May/132426.html\");\n script_summary(\"Check for the Version of prosody\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"prosody\", rpm:\"prosody~0.8.2~11.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-03-20T16:42:12", "description": "A denial-of-service vulnerability\nhas been reported in Prosody, a XMPP server. If compression is enabled, an\nattacker might send highly-compressed XML elements (attack known as zip bomb)\nover XMPP streams and consume all the resources of the server.\n\nThe SAX XML parser lua-expat is also affected by this issues.", "cvss3": {}, "published": "2014-04-06T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 2895-1 (prosody - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-2745", "CVE-2014-2744"], "modified": "2018-03-19T00:00:00", "id": "OPENVAS:702895", "href": "http://plugins.openvas.org/nasl.php?oid=702895", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2895.nasl 9136 2018-03-19 13:08:02Z cfischer $\n# Auto-generated from advisory DSA 2895-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(702895);\n script_version(\"$Revision: 9136 $\");\n script_cve_id(\"CVE-2014-2744\", \"CVE-2014-2745\");\n script_name(\"Debian Security Advisory DSA 2895-1 (prosody - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2018-03-19 14:08:02 +0100 (Mon, 19 Mar 2018) $\");\n script_tag(name: \"creation_date\", value: \"2014-04-06 00:00:00 +0200 (Sun, 06 Apr 2014)\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2014/dsa-2895.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"prosody on Debian Linux\");\n script_tag(name: \"insight\", value: \"Prosody IM is a simple-to-use XMPP\nserver. It is designed to be easy to extend via plugins, and light on\nresources.\");\n script_tag(name: \"solution\", value: \"For the stable distribution (wheezy),\nthis problem has been fixed in version 0.8.2-4+deb7u1 of prosody.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 0.9.4-1 of prosody.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 1.2.0-5+deb7u1 of lua-expat.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.3.0-1 lua-expat.\n\nWe recommend that you upgrade your prosody and lua-expat packages.\");\n script_tag(name: \"summary\", value: \"A denial-of-service vulnerability\nhas been reported in Prosody, a XMPP server. If compression is enabled, an\nattacker might send highly-compressed XML elements (attack known as zip bomb)\nover XMPP streams and consume all the resources of the server.\n\nThe SAX XML parser lua-expat is also affected by this issues.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software version using the apt package manager.\");\n script_tag(name:\"qod_type\", value:\"package\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"prosody\", ver:\"0.8.2-4+deb7u1\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "osv": [{"lastseen": "2022-07-21T08:29:01", "description": "\nA denial-of-service vulnerability has been reported in Prosody, a XMPP \nserver. If compression is enabled, an attacker might send highly-compressed XML \nelements (attack known as zip bomb) over XMPP streams and consume all \nthe resources of the server.\n\n\nThe SAX XML parser lua-expat is also affected by this issues.\n\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 0.8.2-4+deb7u1 of prosody.\n\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 0.9.4-1 of prosody.\n\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 1.2.0-5+deb7u1 of lua-expat.\n\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.3.0-1 lua-expat.\n\n\nWe recommend that you upgrade your prosody and lua-expat packages.\n\n\n", "edition": 1, "cvss3": {}, "published": "2014-04-06T00:00:00", "type": "osv", "title": "prosody - security update", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2745", "CVE-2014-2744"], "modified": "2022-07-21T05:48:13", "id": "OSV:DSA-2895-1", "href": "https://osv.dev/vulnerability/DSA-2895-1", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "fedora": [{"lastseen": "2020-12-21T08:17:52", "description": "Prosody is a flexible communications server for Jabber/XMPP written in Lua. It aims to be easy to use, and light on resources. For developers it aims to be easy to extend and give a flexible system on which to rapidly develop added functionality, or prototype new protocols. ", "cvss3": {}, "published": "2014-05-02T20:56:38", "type": "fedora", "title": "[SECURITY] Fedora 19 Update: prosody-0.8.2-11.fc19", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2744", "CVE-2014-2745"], "modified": "2014-05-02T20:56:38", "id": "FEDORA:21666220DC", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/X4IGO2RX2FUMYAEUPGVTXBF2OU2DMKYV/", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "seebug": [{"lastseen": "2017-11-19T17:27:33", "description": "CVE ID:CVE-2014-2744\u3001CVE-2014-2745\r\n\r\nProsody\u662f\u4e00\u4e2a\u7528Lua\u8bed\u8a00\u7f16\u5199\u7684Jabber/XMPP\u670d\u52a1\u5668\u8f6f\u4ef6\u3002\r\n\r\nProsody\u5904\u7406\u538b\u7f29\u6d41\u5b58\u5728\u9519\u8bef\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u901a\u8fc7XMPP\u6d41\u63d0\u4ea4\u7279\u5236\u7684XML\u6d88\u8017\u7cfb\u7edf\u8d44\u6e90\uff0c\u9020\u6210\u62d2\u7edd\u670d\u52a1\u653b\u51fb\u3002\n0\nProsody 0.x\nProsody 0.9.4\u7248\u672c\u5df2\u4fee\u590d\u8be5\u6f0f\u6d1e\uff0c\u5efa\u8bae\u7528\u6237\u4e0b\u8f7d\u4f7f\u7528\uff1a\r\nhttp://www.prosody.im", "cvss3": {}, "published": "2014-04-11T00:00:00", "title": "Prosody XML\u89e3\u538b\u7f29\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-2744", "CVE-2014-2745"], "modified": "2014-04-11T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-62128", "id": "SSV:62128", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2023-01-18T14:30:59", "description": "Added upstream patches to avoid resource consumption denial of service when using XMPP application-layer compression (#1085692)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2014-05-03T00:00:00", "type": "nessus", "title": "Fedora 19 : prosody-0.8.2-11.fc19 (2014-5586)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2744", "CVE-2014-2745"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:prosody", "cpe:/o:fedoraproject:fedora:19"], "id": "FEDORA_2014-5586.NASL", "href": "https://www.tenable.com/plugins/nessus/73846", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-5586.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(73846);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-2744\", \"CVE-2014-2745\");\n script_bugtraq_id(66723, 66724);\n script_xref(name:\"FEDORA\", value:\"2014-5586\");\n\n script_name(english:\"Fedora 19 : prosody-0.8.2-11.fc19 (2014-5586)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Added upstream patches to avoid resource consumption denial of service\nwhen using XMPP application-layer compression (#1085692)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1085692\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-May/132426.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?7942d741\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected prosody package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:prosody\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:19\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/05/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^19([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 19.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC19\", reference:\"prosody-0.8.2-11.fc19\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"prosody\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "cve": [{"lastseen": "2022-03-23T12:42:07", "description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-2744, CVE-2014-2745. Reason: This candidate is a duplicate of CVE-2014-2744 and/or CVE-2014-2745. Notes: All CVE users should reference CVE-2014-2744 and/or CVE-2014-2745 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.", "cvss3": {}, "published": "2014-04-10T20:55:00", "type": "cve", "title": "CVE-2014-2750", "cwe": [], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2014-2744", "CVE-2014-2745", "CVE-2014-2750"], "modified": "2014-04-19T04:48:00", "cpe": [], "id": "CVE-2014-2750", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2750", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}, {"lastseen": "2022-03-23T12:42:02", "description": "plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an \"xmppbomb\" attack.", "cvss3": {}, "published": "2014-04-11T01:55:00", "type": "cve", "title": "CVE-2014-2744", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2744"], "modified": "2014-04-19T04:48:00", "cpe": ["cpe:/a:prosody:prosody:0.9.0", "cpe:/a:prosody:prosody:0.6.0", "cpe:/a:prosody:prosody:0.8.2", "cpe:/a:prosody:prosody:0.5.0", "cpe:/a:prosody:prosody:0.5.1", "cpe:/a:prosody:prosody:0.4.0", "cpe:/a:prosody:prosody:0.6.2", "cpe:/a:prosody:prosody:0.9.3", "cpe:/a:lightwitch:metronome:3.4", "cpe:/a:prosody:prosody:0.8.1", "cpe:/a:prosody:prosody:0.7.0", "cpe:/a:prosody:prosody:0.8.0", "cpe:/a:prosody:prosody:0.9.2", "cpe:/a:prosody:prosody:0.4.2", "cpe:/a:prosody:prosody:0.9.1", "cpe:/a:prosody:prosody:0.5.2", "cpe:/a:prosody:prosody:0.2.0", "cpe:/a:prosody:prosody:0.1.0", "cpe:/a:prosody:prosody:0.6.1", "cpe:/a:prosody:prosody:0.4.1", "cpe:/a:prosody:prosody:0.3.0"], "id": "CVE-2014-2744", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2744", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:a:prosody:prosody:0.8.2:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.9.0:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.9.3:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:lightwitch:metronome:3.4:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.9.1:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.9.2:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.6.1:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:42:03", "description": "Prosody before 0.9.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an \"xmppbomb\" attack, related to core/portmanager.lua and util/xmppstream.lua.", "cvss3": {}, "published": "2014-04-11T01:55:00", "type": "cve", "title": "CVE-2014-2745", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2745"], "modified": "2014-04-19T04:48:00", "cpe": ["cpe:/a:prosody:prosody:0.9.0", "cpe:/a:prosody:prosody:0.6.0", "cpe:/a:prosody:prosody:0.8.2", "cpe:/a:prosody:prosody:0.5.0", "cpe:/a:prosody:prosody:0.5.1", "cpe:/a:prosody:prosody:0.4.0", "cpe:/a:prosody:prosody:0.6.2", "cpe:/a:prosody:prosody:0.9.3", "cpe:/a:prosody:prosody:0.8.1", "cpe:/a:prosody:prosody:0.7.0", "cpe:/a:prosody:prosody:0.8.0", "cpe:/a:prosody:prosody:0.9.2", "cpe:/a:prosody:prosody:0.4.2", "cpe:/a:prosody:prosody:0.9.1", "cpe:/a:prosody:prosody:0.5.2", "cpe:/a:prosody:prosody:0.2.0", "cpe:/a:prosody:prosody:0.1.0", "cpe:/a:prosody:prosody:0.6.1", "cpe:/a:prosody:prosody:0.4.1", "cpe:/a:prosody:prosody:0.3.0"], "id": "CVE-2014-2745", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2745", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:a:prosody:prosody:0.8.2:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.9.0:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.9.3:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.9.1:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.9.2:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:prosody:prosody:0.6.1:*:*:*:*:*:*:*"]}], "ubuntucve": [{"lastseen": "2022-08-04T14:21:33", "description": "plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch\nMetronome through 3.4 negotiates stream compression while a session is\nunauthenticated, which allows remote attackers to cause a denial of service\n(resource consumption) via compressed XML elements in an XMPP stream, aka\nan \"xmppbomb\" attack.", "cvss3": {}, "published": "2014-04-11T00:00:00", "type": "ubuntucve", "title": "CVE-2014-2744", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2744"], "modified": "2014-04-11T00:00:00", "id": "UB:CVE-2014-2744", "href": "https://ubuntu.com/security/CVE-2014-2744", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2022-08-04T14:21:34", "description": "Prosody before 0.9.4 does not properly restrict the processing of\ncompressed XML elements, which allows remote attackers to cause a denial of\nservice (resource consumption) via a crafted XMPP stream, aka an \"xmppbomb\"\nattack, related to core/portmanager.lua and util/xmppstream.lua.", "cvss3": {}, "published": "2014-04-11T00:00:00", "type": "ubuntucve", "title": "CVE-2014-2745", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2745"], "modified": "2014-04-11T00:00:00", "id": "UB:CVE-2014-2745", "href": "https://ubuntu.com/security/CVE-2014-2745", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "debiancve": [{"lastseen": "2023-01-23T02:06:54", "description": "plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an \"xmppbomb\" attack.", "cvss3": {}, "published": "2014-04-11T01:55:00", "type": "debiancve", "title": "CVE-2014-2744", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2744"], "modified": "2014-04-11T01:55:00", "id": "DEBIANCVE:CVE-2014-2744", "href": "https://security-tracker.debian.org/tracker/CVE-2014-2744", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-01-23T02:07:48", "description": "Prosody before 0.9.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an \"xmppbomb\" attack, related to core/portmanager.lua and util/xmppstream.lua.", "cvss3": {}, "published": "2014-04-11T01:55:00", "type": "debiancve", "title": "CVE-2014-2745", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2745"], "modified": "2014-04-11T01:55:00", "id": "DEBIANCVE:CVE-2014-2745", "href": "https://security-tracker.debian.org/tracker/CVE-2014-2745", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}]}