CVE-2014-2744 — Improper Input Validation in Prosody

CWE-20 — Improper Input Validation5 documents5 sources

Severity

7.8HIGHNVD

EPSS

2.2%

top 15.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Prosody Debian Lua-expat Debian Prosody +1 more

Timeline

PublishedApr 11

Latest updateMay 17

Description

plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an "xmppbomb" attack.

CVSS vector

AV:N/AC:L/C:N/I:N/A:CExploitability: 10.0 | Impact: 6.9

Affected Packages5 packages

▶NVDlightwitch/metronome3.4

▶debiandebian/prosody< lua-expat 1.3.0-1 (bookworm)

▶Debianprosody/prosody< 0.9.4-1+3

▶NVDprosody/prosody0.9.3+19

▶debiandebian/lua-expat< lua-expat 1.3.0-1 (bookworm)

Patches

Patch: code.lightwitch.org ↗Patch: hg.prosody.im ↗Patch: code.lightwitch.org ↗

🔴Vulnerability Details

GHSA

GHSA-qx52-4j2j-9hc7: plugins/mod_compression↗2022-05-17

▶

OSV

CVE-2014-2744: plugins/mod_compression↗2014-04-11

▶

📋Vendor Advisories

Debian

CVE-2014-2744: lua-expat - plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metro...↗2014

▶

💬Community

Bugzilla

CVE-2014-2745 CVE-2014-2744 prosody: resource consumption denial of service when using XMPP application-layer compression↗2014-04-09

▶