Vulnerability Description
Prosody before 0.9.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack, related to core/portmanager.lua and util/xmppstream.lua.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Prosody | Prosody | <= 0.9.3 |
Related Weaknesses (CWE)
References
- http://blog.prosody.im/prosody-0-9-4-released/
- http://hg.prosody.im/0.9/rev/1107d66d2ab2
- http://hg.prosody.im/0.9/rev/a97591d2e1ad
- http://openwall.com/lists/oss-security/2014/04/07/7
- http://openwall.com/lists/oss-security/2014/04/09/1
- http://secunia.com/advisories/57710
- http://www.debian.org/security/2014/dsa-2895
- http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-wit
- http://blog.prosody.im/prosody-0-9-4-released/
- http://hg.prosody.im/0.9/rev/1107d66d2ab2
- http://hg.prosody.im/0.9/rev/a97591d2e1ad
- http://openwall.com/lists/oss-security/2014/04/07/7
- http://openwall.com/lists/oss-security/2014/04/09/1
- http://secunia.com/advisories/57710
- http://www.debian.org/security/2014/dsa-2895
FAQ
What is CVE-2014-2745?
CVE-2014-2745 is a vulnerability with a CVSS score of 7.8 (HIGH). Prosody before 0.9.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, ...
How severe is CVE-2014-2745?
CVE-2014-2745 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-2745?
Check the references section above for vendor advisories and patch information. Affected products include: Prosody Prosody.