{"debiancve": [{"lastseen": "2022-06-15T06:03:55", "description": "Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-13T16:15:00", "type": "debiancve", "title": "CVE-2021-32920", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32920"], "modified": "2021-05-13T16:15:00", "id": "DEBIANCVE:CVE-2021-32920", "href": "https://security-tracker.debian.org/tracker/CVE-2021-32920", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "veracode": [{"lastseen": "2022-05-12T00:20:19", "description": "Prosody is vulnerable to denial of service. An attacker is able to flood SSL/TLS renegotiation requests and potentially cause a denial of service condition.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-14T22:23:40", "type": "veracode", "title": "Denial Of Service (DoS)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32920"], "modified": "2021-05-26T12:13:28", "id": "VERACODE:30444", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-30444/summary", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "cve": [{"lastseen": "2022-03-23T18:34:05", "description": "Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-13T16:15:00", "type": "cve", "title": "CVE-2021-32920", "cwe": ["CWE-400"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32920"], "modified": "2021-05-26T19:26:00", "cpe": ["cpe:/o:fedoraproject:fedora:34", "cpe:/o:fedoraproject:fedora:32", "cpe:/o:fedoraproject:fedora:33", "cpe:/o:debian:debian_linux:10.0"], "id": "CVE-2021-32920", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32920", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2022-06-23T14:46:59", "description": "This update for prosody fixes the following issues :\n\nprosody was updated to 0.11.9 :\n\nSecurity :\n\n - mod_limits, prosody.cfg.lua: Enable rate limits by default\n\n - certmanager: Disable renegotiation by default\n\n - mod_proxy65: Restrict access to local c2s connections by default\n\n - util.startup: Set more aggressive defaults for GC\n\n - mod_c2s, mod_s2s, mod_component, mod_bosh, mod_websockets: Set default stanza size limits\n\n - mod_authinternal(plain,hashed): Use constant-time string comparison for secrets\n\n - mod_dialback: Remove dialback-without-dialback feature\n\n - mod_dialback: Use constant-time comparison with hmac\n\nMinor changes :\n\n - util.hashes: Add constant-time string comparison (binding to CRYPTO_memcmp)\n\n - mod_c2s: Don’t throw errors in async code when connections are gone\n\n - mod_c2s: Fix traceback in session close when conn is nil\n\n - core.certmanager: Improve detection of LuaSec/OpenSSL capabilities\n\n - mod_saslauth: Use a defined SASL error\n\n - MUC: Add support for advertising muc#roomconfig_allowinvites in room disco#info\n\n - mod_saslauth: Don’t throw errors in async code when connections are gone\n\n - mod_pep: Advertise base pubsub feature (fixes #1632:\n mod_pep missing pubsub feature in disco)\n\n - prosodyctl check config: Add ‘gc’ to list of global options\n\n - prosodyctl about: Report libexpat version if known\n\n - util.xmppstream: Add API to dynamically configure the stanza size limit for a stream\n\n - util.set: Add is_set() to test if an object is a set\n\n - mod_http: Skip IP resolution in non-proxied case\n\n - mod_c2s: Log about missing conn on async state changes\n\n - util.xmppstream: Reduce internal default xmppstream limit to 1MB\n\nRelevant: https://prosody.im/security/advisory_20210512\n\n - boo#1186027: Prosody XMPP server advisory 2021-05-12\n\n - CVE-2021-32919\n\n - CVE-2021-32917\n\n - CVE-2021-32917\n\n - CVE-2021-32920\n\n - CVE-2021-32918\n\nUpdate to 0.11.8 :\n\nSecurity :\n\n - mod_saslauth: Disable ‘tls-unique’ channel binding with TLS 1.3 (#1542)\n\nFixes and improvements :\n\n - net.websocket.frames: Improve websocket masking performance by using the new util.strbitop\n\n - util.strbitop: Library for efficient bitwise operations on strings\n\nMinor changes :\n\n - MUC: Correctly advertise whether the subject can be changed (#1155)\n\n - MUC: Preserve disco ‘node’ attribute (or lack thereof) in responses (#1595)\n\n - MUC: Fix logic bug causing unnecessary presence to be sent (#1615)\n\n - mod_bosh: Fix error if client tries to connect to component (#425)\n\n - mod_bosh: Pick out the ‘wait’ before checking it instead of earlier\n\n - mod_pep: Advertise base PubSub feature (#1632)\n\n - mod_pubsub: Fix notification stanza type setting (#1605)\n\n - mod_s2s: Prevent keepalives before client has established a stream\n\n - net.adns: Fix bug that sent empty DNS packets (#1619)\n\n - net.http.server: Don’t send Content-Length on 1xx/204 responses (#1596)\n\n - net.websocket.frames: Fix length calculation bug (#1598)\n\n - util.dbuffer: Make length API in line with Lua strings\n\n - util.dbuffer: Optimize substring operations\n\n - util.debug: Fix locals being reported under wrong stack frame in some cases\n\n - util.dependencies: Fix check for Lua bitwise operations library (#1594)\n\n - util.interpolation: Fix combination of filters and fallback values #1623\n\n - util.promise: Preserve tracebacks\n\n - util.stanza: Reject ASCII control characters (#1606)\n\n - timers: Ensure timers can’t block other processing (#1620)\n\nUpdate to 0.11.7 :\n\nSecurity :\n\n - mod_websocket: Enforce size limits on received frames (fixes #1593)\n\nFixes and improvements :\n\n - mod_c2s, mod_s2s: Make stanza size limits configurable\n\n - Add configuration options to control Lua garbage collection parameters\n\n - net.http: Backport SNI support for outgoing HTTP requests (#409)\n\n - mod_websocket: Process all data in the buffer on close frame and connection errors (fixes #1474, #1234)\n\n - util.indexedbheap: Fix heap data structure corruption, causing some timers to fail after a reschedule (fixes #1572)\n\nUpdate to 0.11.6 :\n\nFixes and improvements :\n\n - mod_storage_internal: Fix error in time limited queries on items without ‘when’ field, fixes #1557\n\n - mod_carbons: Fix handling of incoming MUC PMs #1540\n\n - mod_csi_simple: Consider XEP-0353: Jingle Message Initiation important\n\n - mod_http_files: Avoid using inode in etag, fixes #1498:\n Fail to download file on FreeBSD\n\n - mod_admin_telnet: Create a DNS resolver per console session (fixes #1492: Telnet console DNS commands reduced usefulness)\n\n - core.certmanager: Move EECDH ciphers before EDH in default cipherstring (fixes #1513)\n\n - mod_s2s: Escape invalid XML in loggin (same way as mod_c2s) (fixes #1574: Invalid XML input on s2s connection is logged unescaped)\n\n - mod_muc: Allow control over the server-admins-are-room-owners feature (see #1174)\n\n - mod_muc_mam: Remove spoofed archive IDs before archiving (fixes #1552: MUC MAM may strip its own archive id)\n\n - mod_muc_mam: Fix stanza id filter event name, fixes #1546: mod_muc_mam does not strip spoofed stanza ids\n\n - mod_muc_mam: Fix missing advertising of XEP-0359, fixes #1547: mod_muc_mam does not advertise stanza-id\n\nMinor changes :\n\n - net.http API: Add request:cancel() method\n\n - net.http API: Fix traceback on invalid URL passed to request()\n\n - MUC: Persist affiliation_data in new MUC format\n\n - mod_websocket: Fire event on session creation (thanks Aaron van Meerten)\n\n - MUC: Always include ‘affiliation’/‘role’ attributes, defaulting to ‘none’ if nil\n\n - mod_tls: Log when certificates are (re)loaded\n\n - mod_vcard4: Report correct error condition (fixes #1521:\n mod_vcard4 reports wrong error)\n\n - net.http: Re-expose destroy_request() function (fixes unintentional API breakage)\n\n - net.http.server: Strip port from Host header in IPv6 friendly way (fix #1302)\n\n - util.prosodyctl: Tell prosody do daemonize via command line flag (fixes #1514)\n\n - SASL: Apply saslprep where necessary, fixes #1560: Login fails if password contains special chars\n\n - net.http.server: Fix reporting of missing Host header\n\n - util.datamanager API: Fix iterating over “users” (thanks marc0s)\n\n - net.resolvers.basic: Default conn_type to ‘tcp’ consistently if unspecified (thanks marc0s)\n\n - mod_storage_sql: Fix check for deletion limits (fixes #1494)\n\n - mod_admin_telnet: Handle unavailable cipher info (fixes #1510: mod_admin_telnet backtrace)\n\n - Log warning when using prosodyctl start/stop/restart\n\n - core.certmanager: Look for privkey.pem to go with fullchain.pem (fixes #1526)\n\n - mod_storage_sql: Add index covering sort_id to improve performance (fixes #1505)\n\n - mod_mam,mod_muc_mam: Allow other work to be performed during archive cleanup (fixes #1504)\n\n - mod_muc_mam: Don’t strip MUC tags, fix #1567: MUC tags stripped by mod_muc_mam\n\n - mod_pubsub, mod_pep: Ensure correct number of children of (fixes #1496)\n\n - mod_register_ibr: Add FORM_TYPE as required by XEP-0077 (fixes #1511)\n\n - mod_muc_mam: Fix traceback saving message from non-occupant (fixes #1497)\n\n - util.startup: Remove duplicated initialization of logging (fix #1527: startup: Logging initialized twice)", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2021-05-18T00:00:00", "type": "nessus", "title": "openSUSE Security Update : prosody (openSUSE-2021-728)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-32917", "CVE-2021-32918", "CVE-2021-32919", "CVE-2021-32920"], "modified": "2021-05-25T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:prosody", "p-cpe:/a:novell:opensuse:prosody-debuginfo", "p-cpe:/a:novell:opensuse:prosody-debugsource", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2021-728.NASL", "href": "https://www.tenable.com/plugins/nessus/149566", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2021-728.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(149566);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/05/25\");\n\n script_cve_id(\"CVE-2021-32917\", \"CVE-2021-32918\", \"CVE-2021-32919\", \"CVE-2021-32920\");\n\n script_name(english:\"openSUSE Security Update : prosody (openSUSE-2021-728)\");\n script_summary(english:\"Check for the openSUSE-2021-728 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for prosody fixes the following issues :\n\nprosody was updated to 0.11.9 :\n\nSecurity :\n\n - mod_limits, prosody.cfg.lua: Enable rate limits by\n default\n\n - certmanager: Disable renegotiation by default\n\n - mod_proxy65: Restrict access to local c2s connections by\n default\n\n - util.startup: Set more aggressive defaults for GC\n\n - mod_c2s, mod_s2s, mod_component, mod_bosh,\n mod_websockets: Set default stanza size limits\n\n - mod_authinternal(plain,hashed): Use constant-time string\n comparison for secrets\n\n - mod_dialback: Remove dialback-without-dialback feature\n\n - mod_dialback: Use constant-time comparison with hmac\n\nMinor changes :\n\n - util.hashes: Add constant-time string comparison\n (binding to CRYPTO_memcmp)\n\n - mod_c2s: Don’t throw errors in async code when\n connections are gone\n\n - mod_c2s: Fix traceback in session close when conn is nil\n\n - core.certmanager: Improve detection of LuaSec/OpenSSL\n capabilities\n\n - mod_saslauth: Use a defined SASL error\n\n - MUC: Add support for advertising\n muc#roomconfig_allowinvites in room disco#info\n\n - mod_saslauth: Don’t throw errors in async code\n when connections are gone\n\n - mod_pep: Advertise base pubsub feature (fixes #1632:\n mod_pep missing pubsub feature in disco)\n\n - prosodyctl check config: Add ‘gc’ to list of\n global options\n\n - prosodyctl about: Report libexpat version if known\n\n - util.xmppstream: Add API to dynamically configure the\n stanza size limit for a stream\n\n - util.set: Add is_set() to test if an object is a set\n\n - mod_http: Skip IP resolution in non-proxied case\n\n - mod_c2s: Log about missing conn on async state changes\n\n - util.xmppstream: Reduce internal default xmppstream\n limit to 1MB\n\nRelevant: https://prosody.im/security/advisory_20210512\n\n - boo#1186027: Prosody XMPP server advisory 2021-05-12\n\n - CVE-2021-32919\n\n - CVE-2021-32917\n\n - CVE-2021-32917\n\n - CVE-2021-32920\n\n - CVE-2021-32918\n\nUpdate to 0.11.8 :\n\nSecurity :\n\n - mod_saslauth: Disable ‘tls-unique’ channel\n binding with TLS 1.3 (#1542)\n\nFixes and improvements :\n\n - net.websocket.frames: Improve websocket masking\n performance by using the new util.strbitop\n\n - util.strbitop: Library for efficient bitwise operations\n on strings\n\nMinor changes :\n\n - MUC: Correctly advertise whether the subject can be\n changed (#1155)\n\n - MUC: Preserve disco ‘node’ attribute (or\n lack thereof) in responses (#1595)\n\n - MUC: Fix logic bug causing unnecessary presence to be\n sent (#1615)\n\n - mod_bosh: Fix error if client tries to connect to\n component (#425)\n\n - mod_bosh: Pick out the ‘wait’ before\n checking it instead of earlier\n\n - mod_pep: Advertise base PubSub feature (#1632)\n\n - mod_pubsub: Fix notification stanza type setting (#1605)\n\n - mod_s2s: Prevent keepalives before client has\n established a stream\n\n - net.adns: Fix bug that sent empty DNS packets (#1619)\n\n - net.http.server: Don’t send Content-Length on\n 1xx/204 responses (#1596)\n\n - net.websocket.frames: Fix length calculation bug (#1598)\n\n - util.dbuffer: Make length API in line with Lua strings\n\n - util.dbuffer: Optimize substring operations\n\n - util.debug: Fix locals being reported under wrong stack\n frame in some cases\n\n - util.dependencies: Fix check for Lua bitwise operations\n library (#1594)\n\n - util.interpolation: Fix combination of filters and\n fallback values #1623\n\n - util.promise: Preserve tracebacks\n\n - util.stanza: Reject ASCII control characters (#1606)\n\n - timers: Ensure timers can’t block other processing\n (#1620)\n\nUpdate to 0.11.7 :\n\nSecurity :\n\n - mod_websocket: Enforce size limits on received frames\n (fixes #1593)\n\nFixes and improvements :\n\n - mod_c2s, mod_s2s: Make stanza size limits configurable\n\n - Add configuration options to control Lua garbage\n collection parameters\n\n - net.http: Backport SNI support for outgoing HTTP\n requests (#409)\n\n - mod_websocket: Process all data in the buffer on close\n frame and connection errors (fixes #1474, #1234)\n\n - util.indexedbheap: Fix heap data structure corruption,\n causing some timers to fail after a reschedule (fixes\n #1572)\n\nUpdate to 0.11.6 :\n\nFixes and improvements :\n\n - mod_storage_internal: Fix error in time limited queries\n on items without ‘when’ field, fixes #1557\n\n - mod_carbons: Fix handling of incoming MUC PMs #1540\n\n - mod_csi_simple: Consider XEP-0353: Jingle Message\n Initiation important\n\n - mod_http_files: Avoid using inode in etag, fixes #1498:\n Fail to download file on FreeBSD\n\n - mod_admin_telnet: Create a DNS resolver per console\n session (fixes #1492: Telnet console DNS commands\n reduced usefulness)\n\n - core.certmanager: Move EECDH ciphers before EDH in\n default cipherstring (fixes #1513)\n\n - mod_s2s: Escape invalid XML in loggin (same way as\n mod_c2s) (fixes #1574: Invalid XML input on s2s\n connection is logged unescaped)\n\n - mod_muc: Allow control over the\n server-admins-are-room-owners feature (see #1174)\n\n - mod_muc_mam: Remove spoofed archive IDs before archiving\n (fixes #1552: MUC MAM may strip its own archive id)\n\n - mod_muc_mam: Fix stanza id filter event name, fixes\n #1546: mod_muc_mam does not strip spoofed stanza ids\n\n - mod_muc_mam: Fix missing advertising of XEP-0359, fixes\n #1547: mod_muc_mam does not advertise stanza-id\n\nMinor changes :\n\n - net.http API: Add request:cancel() method\n\n - net.http API: Fix traceback on invalid URL passed to\n request()\n\n - MUC: Persist affiliation_data in new MUC format\n\n - mod_websocket: Fire event on session creation (thanks\n Aaron van Meerten)\n\n - MUC: Always include\n ‘affiliation’/‘role’ attributes,\n defaulting to ‘none’ if nil\n\n - mod_tls: Log when certificates are (re)loaded\n\n - mod_vcard4: Report correct error condition (fixes #1521:\n mod_vcard4 reports wrong error)\n\n - net.http: Re-expose destroy_request() function (fixes\n unintentional API breakage)\n\n - net.http.server: Strip port from Host header in IPv6\n friendly way (fix #1302)\n\n - util.prosodyctl: Tell prosody do daemonize via command\n line flag (fixes #1514)\n\n - SASL: Apply saslprep where necessary, fixes #1560: Login\n fails if password contains special chars\n\n - net.http.server: Fix reporting of missing Host header\n\n - util.datamanager API: Fix iterating over\n “users” (thanks marc0s)\n\n - net.resolvers.basic: Default conn_type to\n ‘tcp’ consistently if unspecified (thanks\n marc0s)\n\n - mod_storage_sql: Fix check for deletion limits (fixes\n #1494)\n\n - mod_admin_telnet: Handle unavailable cipher info (fixes\n #1510: mod_admin_telnet backtrace)\n\n - Log warning when using prosodyctl start/stop/restart\n\n - core.certmanager: Look for privkey.pem to go with\n fullchain.pem (fixes #1526)\n\n - mod_storage_sql: Add index covering sort_id to improve\n performance (fixes #1505)\n\n - mod_mam,mod_muc_mam: Allow other work to be performed\n during archive cleanup (fixes #1504)\n\n - mod_muc_mam: Don’t strip MUC tags, fix #1567: MUC\n tags stripped by mod_muc_mam\n\n - mod_pubsub, mod_pep: Ensure correct number of children\n of (fixes #1496)\n\n - mod_register_ibr: Add FORM_TYPE as required by XEP-0077\n (fixes #1511)\n\n - mod_muc_mam: Fix traceback saving message from\n non-occupant (fixes #1497)\n\n - util.startup: Remove duplicated initialization of\n logging (fix #1527: startup: Logging initialized twice)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1186027\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://prosody.im/security/advisory_20210512\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected prosody packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-32919\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:prosody\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:prosody-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:prosody-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"prosody-0.11.9-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"prosody-debuginfo-0.11.9-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"prosody-debugsource-0.11.9-lp152.2.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"prosody / prosody-debuginfo / prosody-debugsource\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-13T14:38:30", "description": "The Prosody security advisory 2021-05-12 reports :\n\nThis advisory details 5 new security vulnerabilities discovered in the Prosody.im XMPP server software. All issues are fixed in the 0.11.9 release default configuration.\n\n- CVE-2021-32918: DoS via insufficient memory consumption controls\n\n- CVE-2021-32920: DoS via repeated TLS renegotiation causing excessive CPU consumption\n\n- CVE-2021-32921: Use of timing-dependent string comparison with sensitive values\n\n- CVE-2021-32917: Use of mod_proxy65 is unrestricted in default configuration\n\n- CVE-2021-32919: Undocumented dialback-without-dialback option insecure", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2021-05-14T00:00:00", "type": "nessus", "title": "FreeBSD : Prosody -- multiple vulnerabilities (fc75570a-b417-11eb-a23d-c7ab331fd711)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-32917", "CVE-2021-32918", "CVE-2021-32919", "CVE-2021-32920", "CVE-2021-32921"], "modified": "2022-05-10T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:prosody", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_FC75570AB41711EBA23DC7AB331FD711.NASL", "href": "https://www.tenable.com/plugins/nessus/149493", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149493);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/10\");\n\n script_cve_id(\n \"CVE-2021-32917\",\n \"CVE-2021-32918\",\n \"CVE-2021-32919\",\n \"CVE-2021-32920\",\n \"CVE-2021-32921\"\n );\n\n script_name(english:\"FreeBSD : Prosody -- multiple vulnerabilities (fc75570a-b417-11eb-a23d-c7ab331fd711)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing a security-related update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Prosody security advisory 2021-05-12 reports :\n\nThis advisory details 5 new security vulnerabilities discovered in the\nProsody.im XMPP server software. All issues are fixed in the 0.11.9\nrelease default configuration.\n\n- CVE-2021-32918: DoS via insufficient memory consumption controls\n\n- CVE-2021-32920: DoS via repeated TLS renegotiation causing excessive\nCPU consumption\n\n- CVE-2021-32921: Use of timing-dependent string comparison with\nsensitive values\n\n- CVE-2021-32917: Use of mod_proxy65 is unrestricted in default\nconfiguration\n\n- CVE-2021-32919: Undocumented dialback-without-dialback option\ninsecure\");\n # https://vuxml.freebsd.org/freebsd/fc75570a-b417-11eb-a23d-c7ab331fd711.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3579533e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-32921\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-32919\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:prosody\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"prosody<0.11.9\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-12T20:20:35", "description": "The remote host is affected by the vulnerability described in GLSA-202105-15 (Prosody IM: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Prosody IM. Please review the CVE identifiers referenced below for details.\n Impact :\n\n Please review the referenced CVE identifiers for details.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2022-01-24T00:00:00", "type": "nessus", "title": "GLSA-202105-15 : Prosody IM: Multiple vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-32917", "CVE-2021-32918", "CVE-2021-32919", "CVE-2021-32920", "CVE-2021-32921"], "modified": "2022-05-09T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:prosody", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-202105-15.NASL", "href": "https://www.tenable.com/plugins/nessus/157035", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 202105-15.\n#\n# The advisory text is Copyright (C) 2001-2022 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(157035);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\"CVE-2021-32917\", \"CVE-2021-32918\", \"CVE-2021-32919\", \"CVE-2021-32920\", \"CVE-2021-32921\");\n script_xref(name:\"GLSA\", value:\"202105-15\");\n\n script_name(english:\"GLSA-202105-15 : Prosody IM: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is affected by the vulnerability described in GLSA-202105-15\n(Prosody IM: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Prosody IM. Please\n review the CVE identifiers referenced below for details.\n \nImpact :\n\n Please review the referenced CVE identifiers for details.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/202105-15\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"All Prosody IM users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-im/prosody-0.11.9'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-32921\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:prosody\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-im/prosody\", unaffected:make_list(\"ge 0.11.9\"), vulnerable:make_list(\"lt 0.11.9\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Prosody IM\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-13T14:38:07", "description": "Multiple security issues were found in Prosody, a lightweight Jabber/XMPP server, which could result in denial of service or information disclosure.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2021-05-18T00:00:00", "type": "nessus", "title": "Debian DSA-4916-1 : prosody - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-32917", "CVE-2021-32918", "CVE-2021-32919", "CVE-2021-32920", "CVE-2021-32921"], "modified": "2022-05-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:prosody", "cpe:/o:debian:debian_linux:10.0"], "id": "DEBIAN_DSA-4916.NASL", "href": "https://www.tenable.com/plugins/nessus/149609", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4916. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(149609);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/11\");\n\n script_cve_id(\"CVE-2021-32917\", \"CVE-2021-32918\", \"CVE-2021-32919\", \"CVE-2021-32920\", \"CVE-2021-32921\");\n script_xref(name:\"DSA\", value:\"4916\");\n\n script_name(english:\"Debian DSA-4916-1 : prosody - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Multiple security issues were found in Prosody, a lightweight\nJabber/XMPP server, which could result in denial of service or\ninformation disclosure.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/prosody\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/buster/prosody\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2021/dsa-4916\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the prosody packages.\n\nFor the stable distribution (buster), these problems have been fixed\nin version 0.11.2-1+deb10u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-32921\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:prosody\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"10.0\", prefix:\"prosody\", reference:\"0.11.2-1+deb10u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "suse": [{"lastseen": "2022-04-18T12:40:27", "description": "An update that fixes four vulnerabilities is now available.\n\nDescription:\n\n This update for prosody fixes the following issues:\n\n prosody was updated to 0.11.9:\n\n Security:\n\n * mod_limits, prosody.cfg.lua: Enable rate limits by default\n * certmanager: Disable renegotiation by default\n * mod_proxy65: Restrict access to local c2s connections by default\n * util.startup: Set more aggressive defaults for GC\n * mod_c2s, mod_s2s, mod_component, mod_bosh, mod_websockets: Set default\n stanza size limits\n * mod_authinternal{plain,hashed}: Use constant-time string comparison for\n secrets\n * mod_dialback: Remove dialback-without-dialback feature\n * mod_dialback: Use constant-time comparison with hmac\n\n Minor changes:\n\n * util.hashes: Add constant-time string comparison (binding to\n CRYPTO_memcmp)\n * mod_c2s: Don\ufffd\ufffd\ufffdt throw errors in async code when connections are gone\n * mod_c2s: Fix traceback in session close when conn is nil\n * core.certmanager: Improve detection of LuaSec/OpenSSL capabilities\n * mod_saslauth: Use a defined SASL error\n * MUC: Add support for advertising muc#roomconfig_allowinvites in room\n disco#info\n * mod_saslauth: Don\ufffd\ufffd\ufffdt throw errors in async code when connections are\n gone\n * mod_pep: Advertise base pubsub feature (fixes #1632: mod_pep missing\n pubsub feature in disco)\n * prosodyctl check config: Add \ufffd\ufffd\ufffdgc\ufffd\ufffd\ufffd to list of global options\n * prosodyctl about: Report libexpat version if known\n * util.xmppstream: Add API to dynamically configure the stanza size limit\n for a stream\n * util.set: Add is_set() to test if an object is a set\n * mod_http: Skip IP resolution in non-proxied case\n * mod_c2s: Log about missing conn on async state changes\n * util.xmppstream: Reduce internal default xmppstream limit to 1MB\n\n Relevant: https://prosody.im/security/advisory_20210512\n\n * boo#1186027: Prosody XMPP server advisory 2021-05-12\n * CVE-2021-32919\n * CVE-2021-32917\n * CVE-2021-32917\n * CVE-2021-32920\n * CVE-2021-32918\n\n Update to 0.11.8:\n\n Security:\n * mod_saslauth: Disable \ufffd\ufffd\ufffdtls-unique\ufffd\ufffd\ufffd channel binding with TLS 1.3\n (#1542)\n\n Fixes and improvements:\n\n * net.websocket.frames: Improve websocket masking performance by using the\n new util.strbitop\n * util.strbitop: Library for efficient bitwise operations on strings\n\n Minor changes:\n\n * MUC: Correctly advertise whether the subject can be changed (#1155)\n * MUC: Preserve disco \ufffd\ufffd\ufffdnode\ufffd\ufffd\ufffd attribute (or lack thereof) in responses\n (#1595)\n * MUC: Fix logic bug causing unnecessary presence to be sent (#1615)\n * mod_bosh: Fix error if client tries to connect to component (#425)\n * mod_bosh: Pick out the \ufffd\ufffd\ufffdwait\ufffd\ufffd\ufffd before checking it instead of earlier\n * mod_pep: Advertise base PubSub feature (#1632)\n * mod_pubsub: Fix notification stanza type setting (#1605)\n * mod_s2s: Prevent keepalives before client has established a stream\n * net.adns: Fix bug that sent empty DNS packets (#1619)\n * net.http.server: Don\ufffd\ufffd\ufffdt send Content-Length on 1xx/204 responses (#1596)\n * net.websocket.frames: Fix length calculation bug (#1598)\n * util.dbuffer: Make length API in line with Lua strings\n * util.dbuffer: Optimize substring operations\n * util.debug: Fix locals being reported under wrong stack frame in some\n cases\n * util.dependencies: Fix check for Lua bitwise operations library (#1594)\n * util.interpolation: Fix combination of filters and fallback values #1623\n * util.promise: Preserve tracebacks\n * util.stanza: Reject ASCII control characters (#1606)\n * timers: Ensure timers can\ufffd\ufffd\ufffdt block other processing (#1620)\n\n Update to 0.11.7:\n\n Security:\n\n * mod_websocket: Enforce size limits on received frames (fixes #1593)\n\n Fixes and improvements:\n\n * mod_c2s, mod_s2s: Make stanza size limits configurable\n * Add configuration options to control Lua garbage collection parameters\n * net.http: Backport SNI support for outgoing HTTP requests (#409)\n * mod_websocket: Process all data in the buffer on close frame and\n connection errors (fixes #1474, #1234)\n * util.indexedbheap: Fix heap data structure corruption, causing some\n timers to fail after a reschedule (fixes #1572)\n\n Update to 0.11.6:\n\n Fixes and improvements:\n\n * mod_storage_internal: Fix error in time limited queries on items without\n \ufffd\ufffd\ufffdwhen\ufffd\ufffd\ufffd field, fixes #1557\n * mod_carbons: Fix handling of incoming MUC PMs #1540\n * mod_csi_simple: Consider XEP-0353: Jingle Message Initiation important\n * mod_http_files: Avoid using inode in etag, fixes #1498: Fail to download\n file on FreeBSD\n * mod_admin_telnet: Create a DNS resolver per console session (fixes\n #1492: Telnet console DNS commands reduced usefulness)\n * core.certmanager: Move EECDH ciphers before EDH in default cipherstring\n (fixes #1513)\n * mod_s2s: Escape invalid XML in loggin (same way as mod_c2s) (fixes\n #1574: Invalid XML input on s2s connection is logged unescaped)\n * mod_muc: Allow control over the server-admins-are-room-owners feature\n (see #1174)\n * mod_muc_mam: Remove spoofed archive IDs before archiving (fixes #1552:\n MUC MAM may strip its own archive id)\n * mod_muc_mam: Fix stanza id filter event name, fixes #1546: mod_muc_mam\n does not strip spoofed stanza ids\n * mod_muc_mam: Fix missing advertising of XEP-0359, fixes #1547:\n mod_muc_mam does not advertise stanza-id\n\n Minor changes:\n\n * net.http API: Add request:cancel() method\n * net.http API: Fix traceback on invalid URL passed to request()\n * MUC: Persist affiliation_data in new MUC format\n * mod_websocket: Fire event on session creation (thanks Aaron van Meerten)\n * MUC: Always include \ufffd\ufffd\ufffdaffiliation\ufffd\ufffd\ufffd/\ufffd\ufffd\ufffdrole\ufffd\ufffd\ufffd attributes, defaulting\n to \ufffd\ufffd\ufffdnone\ufffd\ufffd\ufffd if nil\n * mod_tls: Log when certificates are (re)loaded\n * mod_vcard4: Report correct error condition (fixes #1521: mod_vcard4\n reports wrong error)\n * net.http: Re-expose destroy_request() function (fixes unintentional API\n breakage)\n * net.http.server: Strip port from Host header in IPv6 friendly way (fix\n #1302)\n * util.prosodyctl: Tell prosody do daemonize via command line flag (fixes\n #1514)\n * SASL: Apply saslprep where necessary, fixes #1560: Login fails if\n password contains special chars\n * net.http.server: Fix reporting of missing Host header\n * util.datamanager API: Fix iterating over \ufffd\ufffd\ufffdusers\ufffd\ufffd\ufffd (thanks marc0s)\n * net.resolvers.basic: Default conn_type to \ufffd\ufffd\ufffdtcp\ufffd\ufffd\ufffd consistently if\n unspecified (thanks marc0s)\n * mod_storage_sql: Fix check for deletion limits (fixes #1494)\n * mod_admin_telnet: Handle unavailable cipher info (fixes #1510:\n mod_admin_telnet backtrace)\n * Log warning when using prosodyctl start/stop/restart\n * core.certmanager: Look for privkey.pem to go with fullchain.pem (fixes\n #1526)\n * mod_storage_sql: Add index covering sort_id to improve performance\n (fixes #1505)\n * mod_mam,mod_muc_mam: Allow other work to be performed during archive\n cleanup (fixes #1504)\n * mod_muc_mam: Don\ufffd\ufffd\ufffdt strip MUC tags, fix #1567: MUC tags stripped by\n mod_muc_mam\n * mod_pubsub, mod_pep: Ensure correct number of children of (fixes #1496)\n * mod_register_ibr: Add FORM_TYPE as required by XEP-0077 (fixes #1511)\n * mod_muc_mam: Fix traceback saving message from non-occupant (fixes #1497)\n * util.startup: Remove duplicated initialization of logging (fix #1527:\n startup: Logging initialized twice)\n\n This update was imported from the openSUSE:Leap:15.2:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Backports SLE-15-SP2:\n\n zypper in -t patch openSUSE-2021-751=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-18T00:00:00", "type": "suse", "title": "Security update for prosody (important)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32917", "CVE-2021-32918", "CVE-2021-32919", "CVE-2021-32920"], "modified": "2021-05-18T00:00:00", "id": "OPENSUSE-SU-2021:0751-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FJYSI5GATCA32NI325BJB4SQGVY6RLE7/", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2022-06-26T22:03:05", "description": "An update that fixes four vulnerabilities is now available.\n\nDescription:\n\n This update for prosody fixes the following issues:\n\n prosody was updated to 0.11.9:\n\n Security:\n\n * mod_limits, prosody.cfg.lua: Enable rate limits by default\n * certmanager: Disable renegotiation by default\n * mod_proxy65: Restrict access to local c2s connections by default\n * util.startup: Set more aggressive defaults for GC\n * mod_c2s, mod_s2s, mod_component, mod_bosh, mod_websockets: Set default\n stanza size limits\n * mod_authinternal{plain,hashed}: Use constant-time string comparison for\n secrets\n * mod_dialback: Remove dialback-without-dialback feature\n * mod_dialback: Use constant-time comparison with hmac\n\n Minor changes:\n\n * util.hashes: Add constant-time string comparison (binding to\n CRYPTO_memcmp)\n * mod_c2s: Don\ufffd\ufffd\ufffdt throw errors in async code when connections are gone\n * mod_c2s: Fix traceback in session close when conn is nil\n * core.certmanager: Improve detection of LuaSec/OpenSSL capabilities\n * mod_saslauth: Use a defined SASL error\n * MUC: Add support for advertising muc#roomconfig_allowinvites in room\n disco#info\n * mod_saslauth: Don\ufffd\ufffd\ufffdt throw errors in async code when connections are\n gone\n * mod_pep: Advertise base pubsub feature (fixes #1632: mod_pep missing\n pubsub feature in disco)\n * prosodyctl check config: Add \ufffd\ufffd\ufffdgc\ufffd\ufffd\ufffd to list of global options\n * prosodyctl about: Report libexpat version if known\n * util.xmppstream: Add API to dynamically configure the stanza size limit\n for a stream\n * util.set: Add is_set() to test if an object is a set\n * mod_http: Skip IP resolution in non-proxied case\n * mod_c2s: Log about missing conn on async state changes\n * util.xmppstream: Reduce internal default xmppstream limit to 1MB\n\n Relevant: https://prosody.im/security/advisory_20210512\n\n * boo#1186027: Prosody XMPP server advisory 2021-05-12\n * CVE-2021-32919\n * CVE-2021-32917\n * CVE-2021-32917\n * CVE-2021-32920\n * CVE-2021-32918\n\n Update to 0.11.8:\n\n Security:\n * mod_saslauth: Disable \ufffd\ufffd\ufffdtls-unique\ufffd\ufffd\ufffd channel binding with TLS 1.3\n (#1542)\n\n Fixes and improvements:\n\n * net.websocket.frames: Improve websocket masking performance by using the\n new util.strbitop\n * util.strbitop: Library for efficient bitwise operations on strings\n\n Minor changes:\n\n * MUC: Correctly advertise whether the subject can be changed (#1155)\n * MUC: Preserve disco \ufffd\ufffd\ufffdnode\ufffd\ufffd\ufffd attribute (or lack thereof) in responses\n (#1595)\n * MUC: Fix logic bug causing unnecessary presence to be sent (#1615)\n * mod_bosh: Fix error if client tries to connect to component (#425)\n * mod_bosh: Pick out the \ufffd\ufffd\ufffdwait\ufffd\ufffd\ufffd before checking it instead of earlier\n * mod_pep: Advertise base PubSub feature (#1632)\n * mod_pubsub: Fix notification stanza type setting (#1605)\n * mod_s2s: Prevent keepalives before client has established a stream\n * net.adns: Fix bug that sent empty DNS packets (#1619)\n * net.http.server: Don\ufffd\ufffd\ufffdt send Content-Length on 1xx/204 responses (#1596)\n * net.websocket.frames: Fix length calculation bug (#1598)\n * util.dbuffer: Make length API in line with Lua strings\n * util.dbuffer: Optimize substring operations\n * util.debug: Fix locals being reported under wrong stack frame in some\n cases\n * util.dependencies: Fix check for Lua bitwise operations library (#1594)\n * util.interpolation: Fix combination of filters and fallback values #1623\n * util.promise: Preserve tracebacks\n * util.stanza: Reject ASCII control characters (#1606)\n * timers: Ensure timers can\ufffd\ufffd\ufffdt block other processing (#1620)\n\n Update to 0.11.7:\n\n Security:\n\n * mod_websocket: Enforce size limits on received frames (fixes #1593)\n\n Fixes and improvements:\n\n * mod_c2s, mod_s2s: Make stanza size limits configurable\n * Add configuration options to control Lua garbage collection parameters\n * net.http: Backport SNI support for outgoing HTTP requests (#409)\n * mod_websocket: Process all data in the buffer on close frame and\n connection errors (fixes #1474, #1234)\n * util.indexedbheap: Fix heap data structure corruption, causing some\n timers to fail after a reschedule (fixes #1572)\n\n Update to 0.11.6:\n\n Fixes and improvements:\n\n * mod_storage_internal: Fix error in time limited queries on items without\n \ufffd\ufffd\ufffdwhen\ufffd\ufffd\ufffd field, fixes #1557\n * mod_carbons: Fix handling of incoming MUC PMs #1540\n * mod_csi_simple: Consider XEP-0353: Jingle Message Initiation important\n * mod_http_files: Avoid using inode in etag, fixes #1498: Fail to download\n file on FreeBSD\n * mod_admin_telnet: Create a DNS resolver per console session (fixes\n #1492: Telnet console DNS commands reduced usefulness)\n * core.certmanager: Move EECDH ciphers before EDH in default cipherstring\n (fixes #1513)\n * mod_s2s: Escape invalid XML in loggin (same way as mod_c2s) (fixes\n #1574: Invalid XML input on s2s connection is logged unescaped)\n * mod_muc: Allow control over the server-admins-are-room-owners feature\n (see #1174)\n * mod_muc_mam: Remove spoofed archive IDs before archiving (fixes #1552:\n MUC MAM may strip its own archive id)\n * mod_muc_mam: Fix stanza id filter event name, fixes #1546: mod_muc_mam\n does not strip spoofed stanza ids\n * mod_muc_mam: Fix missing advertising of XEP-0359, fixes #1547:\n mod_muc_mam does not advertise stanza-id\n\n Minor changes:\n\n * net.http API: Add request:cancel() method\n * net.http API: Fix traceback on invalid URL passed to request()\n * MUC: Persist affiliation_data in new MUC format\n * mod_websocket: Fire event on session creation (thanks Aaron van Meerten)\n * MUC: Always include \ufffd\ufffd\ufffdaffiliation\ufffd\ufffd\ufffd/\ufffd\ufffd\ufffdrole\ufffd\ufffd\ufffd attributes, defaulting\n to \ufffd\ufffd\ufffdnone\ufffd\ufffd\ufffd if nil\n * mod_tls: Log when certificates are (re)loaded\n * mod_vcard4: Report correct error condition (fixes #1521: mod_vcard4\n reports wrong error)\n * net.http: Re-expose destroy_request() function (fixes unintentional API\n breakage)\n * net.http.server: Strip port from Host header in IPv6 friendly way (fix\n #1302)\n * util.prosodyctl: Tell prosody do daemonize via command line flag (fixes\n #1514)\n * SASL: Apply saslprep where necessary, fixes #1560: Login fails if\n password contains special chars\n * net.http.server: Fix reporting of missing Host header\n * util.datamanager API: Fix iterating over \ufffd\ufffd\ufffdusers\ufffd\ufffd\ufffd (thanks marc0s)\n * net.resolvers.basic: Default conn_type to \ufffd\ufffd\ufffdtcp\ufffd\ufffd\ufffd consistently if\n unspecified (thanks marc0s)\n * mod_storage_sql: Fix check for deletion limits (fixes #1494)\n * mod_admin_telnet: Handle unavailable cipher info (fixes #1510:\n mod_admin_telnet backtrace)\n * Log warning when using prosodyctl start/stop/restart\n * core.certmanager: Look for privkey.pem to go with fullchain.pem (fixes\n #1526)\n * mod_storage_sql: Add index covering sort_id to improve performance\n (fixes #1505)\n * mod_mam,mod_muc_mam: Allow other work to be performed during archive\n cleanup (fixes #1504)\n * mod_muc_mam: Don\ufffd\ufffd\ufffdt strip MUC tags, fix #1567: MUC tags stripped by\n mod_muc_mam\n * mod_pubsub, mod_pep: Ensure correct number of children of (fixes #1496)\n * mod_register_ibr: Add FORM_TYPE as required by XEP-0077 (fixes #1511)\n * mod_muc_mam: Fix traceback saving message from non-occupant (fixes #1497)\n * util.startup: Remove duplicated initialization of logging (fix #1527:\n startup: Logging initialized twice)\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.2:\n\n zypper in -t patch openSUSE-2021-728=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-15T00:00:00", "type": "suse", "title": "Security update for prosody (important)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32917", "CVE-2021-32918", "CVE-2021-32919", "CVE-2021-32920"], "modified": "2021-05-15T00:00:00", "id": "OPENSUSE-SU-2021:0728-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QFZF2R5S5FEXEQIW4Q7P3QW6HA46PJMX/", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "debian": [{"lastseen": "2022-02-16T23:32:15", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4916-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nMay 17, 2021 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : prosody\nCVE ID : CVE-2021-32917 CVE-2021-32918 CVE-2021-32919 CVE-2021-32920 \n CVE-2021-32921\n\nMultiple security issues were found in Prosody, a lightweight Jabber/XMPP\nserver, which could result in denial of service or information disclosure.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 0.11.2-1+deb10u1.\n\nWe recommend that you upgrade your prosody packages.\n\nFor the detailed security status of prosody please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/prosody\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-05-17T20:37:58", "type": "debian", "title": "[SECURITY] [DSA 4916-1] prosody security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32917", "CVE-2021-32918", "CVE-2021-32919", "CVE-2021-32920", "CVE-2021-32921"], "modified": "2021-05-17T20:37:58", "id": "DEBIAN:DSA-4916-1:23B61", "href": "https://lists.debian.org/debian-security-announce/2021/msg00097.html", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "fedora": [{"lastseen": "2021-07-28T14:46:52", "description": "Prosody is a flexible communications server for Jabber/XMPP written in Lua. It aims to be easy to use, and light on resources. For developers it aims to be easy to extend and give a flexible system on which to rapidly develop added functionality, or prototype new protocols. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-05-22T01:02:10", "type": "fedora", "title": "[SECURITY] Fedora 34 Update: prosody-0.11.9-1.fc34", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32917", "CVE-2021-32918", "CVE-2021-32919", "CVE-2021-32920", "CVE-2021-32921"], "modified": "2021-05-22T01:02:10", "id": "FEDORA:E347F3094A28", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-07-28T14:46:52", "description": "Prosody is a flexible communications server for Jabber/XMPP written in Lua. It aims to be easy to use, and light on resources. For developers it aims to be easy to extend and give a flexible system on which to rapidly develop added functionality, or prototype new protocols. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-05-22T01:08:25", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: prosody-0.11.9-1.fc33", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32917", "CVE-2021-32918", "CVE-2021-32919", "CVE-2021-32920", "CVE-2021-32921"], "modified": "2021-05-22T01:08:25", "id": "FEDORA:5936D318C304", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-07-28T14:46:52", "description": "Prosody is a flexible communications server for Jabber/XMPP written in Lua. It aims to be easy to use, and light on resources. For developers it aims to be easy to extend and give a flexible system on which to rapidly develop added functionality, or prototype new protocols. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-05-22T01:16:08", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: prosody-0.11.9-1.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32917", "CVE-2021-32918", "CVE-2021-32919", "CVE-2021-32920", "CVE-2021-32921"], "modified": "2021-05-22T01:16:08", "id": "FEDORA:9351831041F9", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "gentoo": [{"lastseen": "2022-01-17T18:59:18", "description": "### Background\n\nPros\u014fdy IM is a modern XMPP communication server. It aims to be easy to set up and configure, and efficient with system resources. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Pros\u014fdy IM. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nPlease review the referenced CVE identifiers for details.\n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Pros\u014fdy IM users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-im/prosody-0.11.9\"", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-05-26T00:00:00", "type": "gentoo", "title": "Pros\u014fdy IM: Multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32917", "CVE-2021-32918", "CVE-2021-32919", "CVE-2021-32920", "CVE-2021-32921"], "modified": "2021-05-26T00:00:00", "id": "GLSA-202105-15", "href": "https://security.gentoo.org/glsa/202105-15", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "archlinux": [{"lastseen": "2021-07-28T14:33:54", "description": "Arch Linux Security Advisory ASA-202105-11\n==========================================\n\nSeverity: High\nDate : 2021-05-19\nCVE-ID : CVE-2021-32917 CVE-2021-32918 CVE-2021-32919 CVE-2021-32920\nCVE-2021-32921\nPackage : prosody\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1955\n\nSummary\n=======\n\nThe package prosody before version 1:0.11.9-1 is vulnerable to multiple\nissues including denial of service, authentication bypass, information\ndisclosure and insufficient validation.\n\nResolution\n==========\n\nUpgrade to 1:0.11.9-1.\n\n# pacman -Syu \"prosody>=1:0.11.9-1\"\n\nThe problems have been fixed upstream in version 0.11.9.\n\nWorkaround\n==========\n\n- CVE-2021-32917 can be mitigated by configuring 'proxy65_acl' to a\nlist of XMPP domains that should be allowed to use the file transfer\nproxy.\n\n- CVE-2021-32918 can be partly mitigated using stricter settings for\nstanza size limits, rate limits and garbage collection parameters, see\nthe referenced upstream advisory for more details.\n\n- CVE-2021-32919 can be mitigated by removing or disabling the\n\u2018dialback_without_dialback\u2019 option.\n\n- CVE-2021-32920 can be mitigated by setting the following ssl option\n(or add to your existing one if you have one):\n\n ssl = {\n options = {\n no_renegotiation = true;\n }\n }\n\n- CVE-2021-32921 can partly be mitigated by enabling and configuring\nrate limits through mod_limits in order to lengthen the amount of time\nrequired to successfully complete a timing attack.\n\nDescription\n===========\n\n- CVE-2021-32917 (insufficient validation)\n\nA security issue was found in the Prosody.im XMPP server software\nbefore version 0.11.9. mod_proxy65 is a file transfer proxy provided\nwith Prosody to facilitate the transfer of files and other data between\nXMPP clients.\n\nIt was discovered that the proxy65 component of Prosody allows open\naccess by default, even if neither of the users have an XMPP account on\nthe local server, allowing unrestricted use of the server's bandwidth.\n\nThe default configuration does not enable mod_proxy65 and is not\naffected. With mod_proxy65 enabled, all configurations without a\n'proxy65_acl' setting configured are affected.\n\n- CVE-2021-32918 (denial of service)\n\nA security issue was found in the Prosody.im XMPP server software\nbefore version 0.11.9. It was discovered that default settings leave\nProsody susceptible to remote unauthenticated denial-of-service (DoS)\nattacks via memory exhaustion when running under Lua 5.2 or Lua 5.3.\n\n- CVE-2021-32919 (authentication bypass)\n\nA security issue was found in the Prosody.im XMPP server software\nbefore version 0.11.9. The undocumented option\n\u2018dialback_without_dialback\u2019 enabled an experimental feature for server-\nto-server authentication. A flaw in this feature meant it did not\ncorrectly authenticate remote servers, allowing a remote server to\nimpersonate another server when this option is enabled.\n\n- CVE-2021-32920 (denial of service)\n\nA security issue was found in the Prosody.im XMPP server software\nbefore version 0.11.9. It was discovered that Prosody does not disable\nSSL/TLS renegotiation, even though this is not used in XMPP. A\nmalicious client may flood a connection with renegotiation requests to\nconsume excessive CPU resources on the server.\n\n- CVE-2021-32921 (information disclosure)\n\nA security issue was found in the Prosody.im XMPP server software\nbefore version 0.11.9. It was discovered that Prosody does not use a\nconstant-time algorithm for comparing certain secret strings when\nrunning under Lua 5.2 or later. This can potentially be used in a\ntiming attack to reveal the contents of secret strings to an attacker.\n\nImpact\n======\n\nA remote attacker could cause excessive use of the server's bandwidth\nand resources, leading to denial of service, impersonate other servers,\nor leak secret strings through timing attacks.\n\nReferences\n==========\n\nhttps://prosody.im/security/advisory_20210512/#use-of-mod_proxy65-is-unrestricted-in-default-configuration\nhttps://hg.prosody.im/trunk/rev/65dcc175ef5b\nhttps://prosody.im/security/advisory_20210512/#dos-via-insufficient-memory-consumption-controls\nhttps://hg.prosody.im/trunk/rev/db8e41eb6eff\nhttps://hg.prosody.im/trunk/rev/b0d8920ed5e5\nhttps://hg.prosody.im/trunk/rev/929de6ade6b6\nhttps://hg.prosody.im/trunk/rev/63fd4c8465fb\nhttps://hg.prosody.im/trunk/rev/1937b3c3efb5\nhttps://hg.prosody.im/trunk/rev/3413fea9e6db\nhttps://prosody.im/security/advisory_20210512/#undocumented-dialback-without-dialback-option-insecure\nhttps://hg.prosody.im/trunk/rev/6be890ca492e\nhttps://hg.prosody.im/trunk/rev/d0e9ffccdef9\nhttps://prosody.im/security/advisory_20210512/#dos-via-repeated-tls-renegotiation-causing-excessive-cpu-consumption\nhttps://hg.prosody.im/trunk/rev/55ef50d6cf65\nhttps://hg.prosody.im/trunk/rev/5a484bd050a7\nhttps://hg.prosody.im/trunk/rev/aaf9c6b6d18d\nhttps://prosody.im/security/advisory_20210512/#use-of-timing-dependent-string-comparison-with-sensitive-values\nhttps://hg.prosody.im/trunk/rev/c98aebe601f9\nhttps://hg.prosody.im/trunk/rev/13b84682518e\nhttps://hg.prosody.im/trunk/rev/6f56170ea986\nhttps://security.archlinux.org/CVE-2021-32917\nhttps://security.archlinux.org/CVE-2021-32918\nhttps://security.archlinux.org/CVE-2021-32919\nhttps://security.archlinux.org/CVE-2021-32920\nhttps://security.archlinux.org/CVE-2021-32921", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-05-19T00:00:00", "type": "archlinux", "title": "[ASA-202105-11] prosody: multiple issues", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32917", "CVE-2021-32918", "CVE-2021-32919", "CVE-2021-32920", "CVE-2021-32921"], "modified": "2021-05-19T00:00:00", "id": "ASA-202105-11", "href": "https://security.archlinux.org/ASA-202105-11", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "freebsd": [{"lastseen": "2022-01-19T15:51:30", "description": "\n\nThe Prosody security advisory 2021-05-12 reports:\n\n\n\t This advisory details 5 new security vulnerabilities discovered in the\n\t Prosody.im XMPP server software. All issues are fixed in the 0.11.9\n\t release default configuration.\n\t \n\nCVE-2021-32918: DoS via insufficient memory consumption controls\nCVE-2021-32920: DoS via repeated TLS renegotiation causing excessive CPU consumption\nCVE-2021-32921: Use of timing-dependent string comparison with sensitive values\nCVE-2021-32917: Use of mod_proxy65 is unrestricted in default configuration\nCVE-2021-32919: Undocumented dialback-without-dialback option insecure\n\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-05-12T00:00:00", "type": "freebsd", "title": "Prosody -- multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32917", "CVE-2021-32918", "CVE-2021-32919", "CVE-2021-32920", "CVE-2021-32921"], "modified": "2021-05-12T00:00:00", "id": "FC75570A-B417-11EB-A23D-C7AB331FD711", "href": "https://vuxml.freebsd.org/freebsd/fc75570a-b417-11eb-a23d-c7ab331fd711.html", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}]}
CVE-2021-32920
