SB2021051330 - Fedora EPEL 8 update for prosody

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2021051330

SB2021051330 - Fedora EPEL 8 update for prosody

Published: May 13, 2021

Security Bulletin ID SB2021051330
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 80% Low 20%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Improper Authorization (CVE-ID: CVE-2021-32917)

The vulnerability allows a remote attacker to use server's bandwidth.

the vulnerability exists within the proxy65 component, which allows open access by default, even if neither of the users has an XMPP account on the local server. A remote attacker can consume the server's bandwidth.



2) Resource exhaustion (CVE-ID: CVE-2021-32918)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can perform a denial of service (DoS) attack ia memory exhaustion when running under Lua 5.2 or Lua 5.3.


3) Improper Authentication (CVE-ID: CVE-2021-32919)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in when processing authentication requests. The undocumented dialback_without_dialback option in mod_dialback enables an experimental feature for server-to-server authentication. It does not correctly authenticate remote server certificates, allowing a remote server to impersonate another server.


4) Resource exhaustion (CVE-ID: CVE-2021-32920)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion via a flood of SSL/TLS renegotiation requests and perform a denial of service (DoS) attack.


5) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2021-32921)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the application does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker.


Remediation

Install update from vendor's website.

References