Lucene search

K

PRIOn knowledge basePRION:CVE-2014-2744

HistoryApr 11, 2014 - 1:55 a.m.

Design/Logic Flaw

2014-04-1101:55:00

PRIOn knowledge base

www.prio-n.com

2

6.8 Medium

AI Score

Confidence

High

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.03 Low

EPSS

Percentile

90.7%

plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an “xmppbomb” attack.

CPENameOperatorVersion
metronomele3.4
prosodyeq0.6.0
prosodyle0.9.3
prosodyeq0.4.2
prosodyeq0.9.2
prosodyeq0.5.0
prosodyeq0.6.1
prosodyeq0.5.2
prosodyeq0.9.0
prosodyeq0.4.0

Rows per page:

1-10 of 211

References

blog.prosody.im/prosody-0-9-4-released/

code.lightwitch.org/metronome/rev/49f47277a411

hg.prosody.im/0.9/rev/b3b1c9da38fb

openwall.com/lists/oss-security/2014/04/07/7

openwall.com/lists/oss-security/2014/04/09/1

secunia.com/advisories/57710

www.debian.org/security/2014/dsa-2895

xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/

6.8 Medium

AI Score

Confidence

High

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.03 Low

EPSS

Percentile

90.7%

Related for PRION:CVE-2014-2744

debiancve1 ubuntucve1 cve2 osv1 fedora1 openvas4 nessus1 debian1 seebug1 prion1