CVE-2014-2745 — Prosody vulnerability

CWE-2645 documents5 sources

Severity

7.8HIGHNVD

EPSS

2.2%

top 15.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Prosody Debian Prosody

Timeline

PublishedApr 11

Latest updateMay 17

Description

Prosody before 0.9.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack, related to core/portmanager.lua and util/xmppstream.lua.

CVSS vector

AV:N/AC:L/C:N/I:N/A:CExploitability: 10.0 | Impact: 6.9

Affected Packages3 packages

▶debiandebian/prosody< prosody 0.9.4-1 (bookworm)

▶Debianprosody/prosody< 0.9.4-1+3

▶NVDprosody/prosody0.9.3+19

🔴Vulnerability Details

GHSA

GHSA-8jhg-7mm6-vg49: Prosody before 0↗2022-05-17

▶

OSV

CVE-2014-2745: Prosody before 0↗2014-04-11

▶

📋Vendor Advisories

Debian

CVE-2014-2745: prosody - Prosody before 0.9.4 does not properly restrict the processing of compressed XML...↗2014

▶

💬Community

Bugzilla

CVE-2014-2745 CVE-2014-2744 prosody: resource consumption denial of service when using XMPP application-layer compression↗2014-04-09

▶