Published: 09/05/2018 Updated: 03/10/2019

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Prosody prior to 0.10.0 allows remote malicious users to cause a denial of service (application crash), related to an incompatibility with certain versions of the LuaSocket library, such as the lua-socket package from Debian stretch. The attacker needs to trigger a stream error. A crash can be observed in, for example, the c2s module.

Vulnerable Product	Search on Vulmon	Subscribe to Product
prosody prosody
debian debian linux 9.0

Debian Bug report logs - #875829 prosody: CVE-2017-18265: crashed on error handling for stream errors Package: prosody; Maintainer for prosody is Debian XMPP Maintainers <pkg-xmpp-devel@alioth-listsdebiannet>; Source for prosody is src:prosody (PTS, buildd, popcon) Reported by: Albert Dengg <albert@fsfeorg> Date: ...

Albert Dengg discovered that incorrect parsing of <stream:error> messages in the Prosody Jabber/XMPP server may result in denial of service The oldstable distribution (jessie) is not affected For the stable distribution (stretch), this problem has been fixed in version 0912-2+deb9u1 We recommend that you upgrade your prosody packages Fo ...

NVD-CWE-noinfo https://prosody.im/issues/issue/987 https://hg.prosody.im/0.9/rev/adfffc5b4e2a https://hg.prosody.im/0.9/rev/176b7f4e4ac9 https://bugs.debian.org/875829 https://www.debian.org/security/2018/dsa-4198 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875829 https://nvd.nist.gov https://www.debian.org/security/./dsa-4198

CVE-2017-18265

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect