7.8

CVE-2014-2744

Exploit
plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an "xmppbomb" attack.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LightwitchMetronome Version <= 3.4
ProsodyProsody Version <= 0.9.3
ProsodyProsody Version0.1.0
ProsodyProsody Version0.2.0
ProsodyProsody Version0.3.0
ProsodyProsody Version0.4.0
ProsodyProsody Version0.4.1
ProsodyProsody Version0.4.2
ProsodyProsody Version0.5.0
ProsodyProsody Version0.5.1
ProsodyProsody Version0.5.2
ProsodyProsody Version0.6.0
ProsodyProsody Version0.6.1
ProsodyProsody Version0.6.2
ProsodyProsody Version0.7.0
ProsodyProsody Version0.8.0
ProsodyProsody Version0.8.1
ProsodyProsody Version0.8.2
ProsodyProsody Version0.9.0
ProsodyProsody Version0.9.1
ProsodyProsody Version0.9.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 3.31% 0.87
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 10 6.9
AV:N/AC:L/Au:N/C:N/I:N/A:C
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://openwall.com/lists/oss-security/2014/04/07/7
http://openwall.com/lists/oss-security/2014/04/09/1
http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/
http://code.lightwitch.org/metronome/rev/49f47277a411
Patch
Exploit
http://blog.prosody.im/prosody-0-9-4-released/
Vendor Advisory
http://hg.prosody.im/0.9/rev/b3b1c9da38fb
Patch
Exploit
http://secunia.com/advisories/57710
http://www.debian.org/security/2014/dsa-2895