CVE-2020-8086

NameCVE-2020-8086
DescriptionThe mod_auth_ldap and mod_auth_ldap2 Community Modules through 2020-01-27 for Prosody incompletely verify the XMPP address passed to the is_admin() function. This grants remote entities admin-only functionality if their username matches the username of a local admin.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-4612-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
prosody-modules (PTS)buster, buster (security)0.0~hg20190203.b54e98d5c4a1+dfsg-1+deb10u1fixed
bullseye0.0~hg20210130.dd3bfe8f182e+dfsg-2fixed
bookworm0.0~hg20230223.556bf57d6417+dfsg-1fixed
sid, trixie0.0~hg20240124.b109773ce6fe+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
prosody-modulessourcestretch0.0~hg20170123.3ed504b944e5+dfsg-1+deb9u1DSA-4612-1
prosody-modulessourcebuster0.0~hg20190203.b54e98d5c4a1+dfsg-1+deb10u1DSA-4612-1
prosody-modulessource(unstable)0.0~hg20200128.09e7e880e056+dfsg-1

Notes

https://hg.prosody.im/prosody-modules/rev/f2b29183ef08
https://prosody.im/security/advisory_20200128/

Search for package or bug name: Reporting problems