Improper Authorization in Prosody - CVE-2021-32917

 

Improper Authorization in Prosody - CVE-2021-32917

Published: May 17, 2021


Vulnerability identifier: #VU53314
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-32917
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Prosody
Affected software:
Prosody

Detailed vulnerability description

The vulnerability allows a remote attacker to use server's bandwidth.

the vulnerability exists within the proxy65 component, which allows open access by default, even if neither of the users has an XMPP account on the local server. A remote attacker can consume the server's bandwidth.



How to mitigate CVE-2021-32917

Install updates from vendor's website.

Sources