Improper Authorization in Prosody - CVE-2021-32917
Published: May 17, 2021
Vulnerability identifier: #VU53314
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-32917
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Prosody
Affected software:
Prosody
Prosody
Detailed vulnerability description
The vulnerability allows a remote attacker to use server's bandwidth.
the vulnerability exists within the proxy65 component, which allows open access by default, even if neither of the users has an XMPP account on the local server. A remote attacker can consume the server's bandwidth.
How to mitigate CVE-2021-32917
Install updates from vendor's website.