CVE-2021-32917

NameCVE-2021-32917
DescriptionAn issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2687-1, DSA-4916-1
NVD severitymedium
Debian Bugs988668

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
prosody (PTS)stretch0.9.12-2+deb9u2vulnerable
stretch (security)0.9.12-2+deb9u4fixed
buster, buster (security)0.11.2-1+deb10u2fixed
bullseye, sid0.11.9-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
prosodysourcestretch0.9.12-2+deb9u3DLA-2687-1
prosodysourcebuster0.11.2-1+deb10u1DSA-4916-1
prosodysource(unstable)0.11.9-1988668

Notes

https://www.openwall.com/lists/oss-security/2021/05/13/1
https://prosody.im/security/advisory_20210512.txt
https://hg.prosody.im/trunk/rev/65dcc175ef5b

Search for package or bug name: Reporting problems