CVE-2021-32921 — Race Condition in Prosody

CWE-362 — Race Condition5 documents5 sources

Severity

5.9MEDIUMNVD

EPSS

3.8%

top 11.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Prosody Debian Prosody Debian Linux +2 more

Timeline

PublishedMay 13

Latest updateNov 7

Description

An issue was discovered in Prosody before 0.11.9. It does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/prosody< prosody 0.11.9-1 (bookworm)

▶NVDprosody/prosody< 0.11.9

▶Debianprosody/prosody< 0.11.9-1+3

▶Palo Altopaloalto/cortex_xdr

Also affects: Debian Linux 9.0, Fedora 32, 33, 34

🔴Vulnerability Details

GHSA

GHSA-vh63-h6gp-hw6w: An issue was discovered in Prosody before 0↗2022-05-24

▶

OSV

CVE-2021-32921: An issue was discovered in Prosody before 0↗2021-05-13

▶

📋Vendor Advisories

Palo Alto

PAN-SA-2024-0014 Informational Bulletin: Impact of OSS CVEs in Cortex XDR Agent↗2024-11-07

▶

Debian

CVE-2021-32921: prosody - An issue was discovered in Prosody before 0.11.9. It does not use a constant-tim...↗2021

▶