CVE-2021-32917 — Missing Authorization in Prosody

CWE-862 — Missing Authorization4 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

3.3%

top 12.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Prosody Debian Prosody Debian Linux +1 more

Timeline

PublishedMay 13

Latest updateMay 24

Description

An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶debiandebian/prosody< prosody 0.11.9-1 (bookworm)

▶NVDprosody/prosody< 0.11.9

▶Debianprosody/prosody< 0.11.9-1+3

Also affects: Debian Linux 10.0, 9.0, Fedora 32, 33, 34

🔴Vulnerability Details

GHSA

GHSA-75h4-f9wm-hqpr: An issue was discovered in Prosody before 0↗2022-05-24

▶

OSV

CVE-2021-32917: An issue was discovered in Prosody before 0↗2021-05-13

▶

📋Vendor Advisories

Debian

CVE-2021-32917: prosody - An issue was discovered in Prosody before 0.11.9. The proxy65 component allows o...↗2021

▶