CVE-2018-10847 — DEPRECATED: Authentication Bypass Issues in Prosody

CWE-592 — DEPRECATED: Authentication Bypass Issues CWE-287 — Improper Authentication6 documents6 sources

Severity

8.8HIGHNVD

EPSS

1.2%

top 20.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Prosody Debian Prosody

Timeline

PublishedJul 30

Latest updateMay 13

Description

prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Prosody did not verify that the virtual host associated with a user session remained the same across stream restarts. A user may authenticate to XMPP host A and migrate their authenticated session to XMPP host B of the same Prosody instance.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/prosody< prosody 0.10.2-1 (bookworm)

▶NVDprosody/prosody< 0.9.14+2

▶Debianprosody/prosody< 0.10.2-1+3

🔴Vulnerability Details

GHSA

GHSA-r7gq-256h-j4mq: prosody before versions 0↗2022-05-13

▶

OSV

CVE-2018-10847: prosody before versions 0↗2018-07-30

▶

📋Vendor Advisories

Ubuntu

Prosody vulnerability↗2021-03-15

▶

Debian

CVE-2018-10847: prosody - prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass...↗2018

▶

💬Community

Bugzilla

CVE-2018-10847 prosody: cross-host authentication vulnerability↗2018-05-31

▶