CVE-2021-32917

An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth.

Published: May 13, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-32917
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:N/A:P

CWEs:

CWE-862

Affected Software
References

Software	From	Fixed in
prosody / prosody	-	0.11.9
debian / debian_linux	9.0	9.0.x
debian / debian_linux	10.0	10.0.x
fedoraproject / fedora	32	32.x
fedoraproject / fedora	33	33.x
fedoraproject / fedora	34	34.x

http://www.openwall.com/lists/oss-security/2021/05/13/1
http://www.openwall.com/lists/oss-security/2021/05/14/2
https://blog.prosody.im/prosody-0.11.9-released/
https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/
https://security.gentoo.org/glsa/202105-15
https://www.debian.org/security/2021/dsa-4916

Vulnerability Database

300,214

CVE-2021-32917

Deep Security Visibility Without the Complexity