CVE-2020-8086

NameCVE-2020-8086
DescriptionThe mod_auth_ldap and mod_auth_ldap2 Community Modules through 2020-01-27 for Prosody incompletely verify the XMPP address passed to the is_admin() function. This grants remote entities admin-only functionality if their username matches the username of a local admin.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-4612-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
prosody-modules (PTS)stretch (security), stretch0.0~hg20170123.3ed504b944e5+dfsg-1+deb9u1fixed
buster, buster (security)0.0~hg20190203.b54e98d5c4a1+dfsg-1+deb10u1fixed
bullseye, sid0.0~hg20200915.ed0c7044b00f+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
prosody-modulessourcestretch0.0~hg20170123.3ed504b944e5+dfsg-1+deb9u1DSA-4612-1
prosody-modulessourcebuster0.0~hg20190203.b54e98d5c4a1+dfsg-1+deb10u1DSA-4612-1
prosody-modulessource(unstable)0.0~hg20200128.09e7e880e056+dfsg-1

Notes

https://hg.prosody.im/prosody-modules/rev/f2b29183ef08
https://prosody.im/security/advisory_20200128/

Search for package or bug name: Reporting problems