U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:prosody:prosody:0.8.1:*:*:*:*:*:*:*
  • CPE Name Search: true
There are 10 matching records.
Displaying matches 1 through 10.
Vuln ID Summary CVSS Severity
CVE-2021-32921

An issue was discovered in Prosody before 0.11.9. It does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker.

Published: May 13, 2021; 12:15:08 PM -0400
V3.1: 5.9 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2021-32920

Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests.

Published: May 13, 2021; 12:15:08 PM -0400
V3.1: 7.5 HIGH
V2.0: 7.8 HIGH
CVE-2021-32918

An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3.

Published: May 13, 2021; 12:15:08 PM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2021-32917

An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth.

Published: May 13, 2021; 12:15:08 PM -0400
V3.1: 5.3 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2018-10847

prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Prosody did not verify that the virtual host associated with a user session remained the same across stream restarts. A user may authenticate to XMPP host A and migrate their authenticated session to XMPP host B of the same Prosody instance.

Published: July 30, 2018; 1:29:00 PM -0400
V3.0: 8.8 HIGH
V2.0: 6.5 MEDIUM
CVE-2017-18265

Prosody before 0.10.0 allows remote attackers to cause a denial of service (application crash), related to an incompatibility with certain versions of the LuaSocket library, such as the lua-socket package from Debian stretch. The attacker needs to trigger a stream error. A crash can be observed in, for example, the c2s module.

Published: May 09, 2018; 1:29:00 PM -0400
V3.0: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2016-0756

The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generating dialback keys, which allows remote attackers to spoof XMPP network domains via a crafted stream id and domain name that is included in the target domain as a suffix.

Published: January 29, 2016; 3:59:06 PM -0500
V3.0: 5.3 MEDIUM
V2.0: 5.0 MEDIUM
CVE-2016-1232

The mod_dialback module in Prosody before 0.9.9 does not properly generate random values for the secret token for server-to-server dialback authentication, which makes it easier for attackers to spoof servers via a brute force attack.

Published: January 12, 2016; 3:59:10 PM -0500
V3.0: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2014-2745

Prosody before 0.9.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack, related to core/portmanager.lua and util/xmppstream.lua.

Published: April 10, 2014; 9:55:06 PM -0400
V3.x:(not available)
V2.0: 7.8 HIGH
CVE-2014-2744

plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an "xmppbomb" attack.

Published: April 10, 2014; 9:55:06 PM -0400
V3.x:(not available)
V2.0: 7.8 HIGH