Published: 30/07/2018 Updated: 09/10/2019

CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 578

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

prosody prior to 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Prosody did not verify that the virtual host associated with a user session remained the same across stream restarts. A user may authenticate to XMPP host A and migrate their authenticated session to XMPP host B of the same Prosody instance.

Vulnerable Product	Search on Vulmon	Subscribe to Product
prosody prosody 0.10.0
prosody prosody 0.10.1
prosody prosody

Debian Bug report logs - #900524 prosody: CVE-2018-10847: insufficient stream header validation Package: src:prosody; Maintainer for src:prosody is Debian XMPP Maintainers <pkg-xmpp-devel@alioth-listsdebiannet>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, 31 May 2018 19:54:03 UTC Severity: grav ...

It was discovered that Prosody, a lightweight Jabber/XMPP server, does not properly validate client-provided parameters during XMPP stream restarts, allowing authenticated users to override the realm associated with their session, potentially bypassing security policies and allowing impersonation Details can be found in the upstream advisory at ht ...

CWE-287 https://prosody.im/security/advisory_20180531/https://issues.prosody.im/1147 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10847 https://blog.prosody.im/prosody-0-10-2-security-release/https://www.debian.org/security/2018/dsa-4216 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900524 https://nvd.nist.gov https://www.debian.org/security/./dsa-4216

CVE-2018-10847

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect