CVE-2021-32917

MEDIUM

prosody < 0.11.9 - Unauthenticated Bandwidth Abuse via proxy65 Component

Title source: llm
STIX 2.1

Description

An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth.

References (9)

Core 9
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://blog.prosody.im/prosody-0.11.9-released/
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/05/13/1
Mailing List, Mitigation, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/05/14/2
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2021/dsa-4916
Third Party Advisory x_refsource_misc
https://security.gentoo.org/glsa/202105-15
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html

Scores

CVSS v3 5.3
EPSS 0.0217
EPSS Percentile 80.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Details

CWE
CWE-862
Status published
Products (6)
debian/debian_linux 9.0
debian/debian_linux 10.0
fedoraproject/fedora 32
fedoraproject/fedora 33
fedoraproject/fedora 34
prosody/prosody < 0.11.9
Published May 13, 2021
Tracked Since Feb 18, 2026