JabberD 2.x (aka jabberd2) prior to 2.6.1 allows anyone to authenticate using SASL ANONYMOUS, even when the sasl.anonymous c2s.xml option is not enabled.
Debian Bug report logs -
#867032
jabberd2: CVE-2017-10807: allows anyone to authenticate using SASL ANONYMOUS, even when the option is not enabled
Package:
jabberd2;
Maintainer for jabberd2 is Debian XMPP Maintainers <pkg-xmpp-devel@listsaliothdebianorg>; Source for jabberd2 is src:jabberd2 (PTS, buildd, popcon)
Reported ...
It was discovered that jabberd2, a Jabber instant messenger server,
allowed anonymous SASL connections, even if disabled in the
configuration
For the stable distribution (stretch), this problem has been fixed in
version 240-3+deb9u1
We recommend that you upgrade your jabberd2 packages ...