CVE-2014-2744

Lightwitch Metronome < 3.4 and Prosody < 0.9.4 - Unauthenticated Denial of Service via Compressed XMPP Stream

Title source: llm
STIX 2.1

Description

plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an "xmppbomb" attack.

References (8)

Core 8
Core References
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2014/dsa-2895
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/57710
Exploit, Patch x_refsource_confirm
http://code.lightwitch.org/metronome/rev/49f47277a411
Vendor Advisory x_refsource_confirm
http://blog.prosody.im/prosody-0-9-4-released/
Exploit, Patch x_refsource_confirm
http://hg.prosody.im/0.9/rev/b3b1c9da38fb
Mailing List mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2014/04/09/1
Mailing List mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2014/04/07/7

Scores

EPSS 0.0331
EPSS Percentile 87.1%

Details

CWE
CWE-20
Status published
Products (21)
lightwitch/metronome < 3.4
prosody/prosody 0.1.0
prosody/prosody 0.2.0
prosody/prosody 0.3.0
prosody/prosody 0.4.0
prosody/prosody 0.4.1
prosody/prosody 0.4.2
prosody/prosody 0.5.0
prosody/prosody 0.5.1
prosody/prosody 0.5.2
... and 11 more
Published Apr 11, 2014
Tracked Since Feb 18, 2026