| Name | CVE-2020-8086 |
| Description | The mod_auth_ldap and mod_auth_ldap2 Community Modules through 2020-01-27 for Prosody incompletely verify the XMPP address passed to the is_admin() function. This grants remote entities admin-only functionality if their username matches the username of a local admin. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-4612-1 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| prosody-modules (PTS) | bullseye | 0.0~hg20210130.dd3bfe8f182e+dfsg-2 | fixed |
| bookworm | 0.0~hg20230223.556bf57d6417+dfsg-1 | fixed | |
| trixie, sid | 0.0~hg20240911.c61a82f80e57+dfsg-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| prosody-modules | source | stretch | 0.0~hg20170123.3ed504b944e5+dfsg-1+deb9u1 | DSA-4612-1 | ||
| prosody-modules | source | buster | 0.0~hg20190203.b54e98d5c4a1+dfsg-1+deb10u1 | DSA-4612-1 | ||
| prosody-modules | source | (unstable) | 0.0~hg20200128.09e7e880e056+dfsg-1 |
https://hg.prosody.im/prosody-modules/rev/f2b29183ef08
https://prosody.im/security/advisory_20200128/