Vulnerability Details : CVE-2021-32917
An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth.
Exploit prediction scoring system (EPSS) score for CVE-2021-32917
Probability of exploitation activity in the next 30 days: 0.32%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 67 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2021-32917
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:N/A:P |
8.6
|
2.9
|
nvd@nist.gov |
|
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
3.9
|
1.4
|
nvd@nist.gov |
CWE ids for CVE-2021-32917
-
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-32917
-
https://blog.prosody.im/prosody-0.11.9-released/
Prosody 0.11.9 released | Prosodical ThoughtsRelease Notes;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/
[SECURITY] Fedora 33 Update: prosody-0.11.9-1.fc33 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://www.debian.org/security/2021/dsa-4916
Debian -- Security Information -- DSA-4916-1 prosodyThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/
[SECURITY] Fedora 32 Update: prosody-0.11.9-1.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2021/05/14/2
oss-security - Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)Mailing List;Mitigation;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/
[SECURITY] Fedora 34 Update: prosody-0.11.9-1.fc34 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://security.gentoo.org/glsa/202105-15
Prosŏdy IM: Multiple vulnerabilities (GLSA 202105-15) — Gentoo securityThird Party Advisory
-
http://www.openwall.com/lists/oss-security/2021/05/13/1
oss-security - Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)Mailing List;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html
[SECURITY] [DLA 2687-1] prosody security updateMailing List;Third Party Advisory
Products affected by CVE-2021-32917
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
- cpe:2.3:a:prosody:prosody:*:*:*:*:*:*:*:*