Vulnerability Details : CVE-2014-2744
Potential exploit
plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an "xmppbomb" attack.
Vulnerability category: Denial of service
Products affected by CVE-2014-2744
- cpe:2.3:a:prosody:prosody:*:*:*:*:*:*:*:*
- cpe:2.3:a:prosody:prosody:0.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:prosody:prosody:0.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:prosody:prosody:0.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:prosody:prosody:0.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:prosody:prosody:0.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:prosody:prosody:0.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:prosody:prosody:0.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:prosody:prosody:0.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:prosody:prosody:0.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:prosody:prosody:0.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:prosody:prosody:0.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:prosody:prosody:0.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:prosody:prosody:0.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:prosody:prosody:0.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:prosody:prosody:0.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:prosody:prosody:0.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:prosody:prosody:0.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:prosody:prosody:0.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:prosody:prosody:0.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:lightwitch:metronome:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-2744
2.62%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 84 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-2744
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.8
|
HIGH | AV:N/AC:L/Au:N/C:N/I:N/A:C |
10.0
|
6.9
|
NIST |
CWE ids for CVE-2014-2744
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-2744
-
http://hg.prosody.im/0.9/rev/b3b1c9da38fb
Prosody IM 0.9: revision b3b1c9da38fb: mod_compression: Only allow compression on authenticated streamsExploit;Patch
-
http://secunia.com/advisories/57710
Sign in
-
http://openwall.com/lists/oss-security/2014/04/09/1
oss-security - Re: (Openfire M-Link Metronome Prosody Tigase) Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression
-
http://www.debian.org/security/2014/dsa-2895
Debian -- Security Information -- DSA-2895-1 prosody
-
http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/
404 Not Found
-
http://openwall.com/lists/oss-security/2014/04/07/7
oss-security - Re: Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression
-
http://code.lightwitch.org/metronome/rev/49f47277a411
Exploit;Patch
-
http://blog.prosody.im/prosody-0-9-4-released/
Prosody 0.9.4 released | Prosodical ThoughtsVendor Advisory
Jump to