Published: 28/01/2020 Updated: 04/02/2020

CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 605

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

The mod_auth_ldap and mod_auth_ldap2 Community Modules through 2020-01-27 for Prosody incompletely verify the XMPP address passed to the is_admin() function. This grants remote entities admin-only functionality if their username matches the username of a local admin.

Vulnerable Product	Search on Vulmon	Subscribe to Product
prosody mod auth ldap
prosody mod auth ldap2
debian debian linux 9.0
debian debian linux 10.0

It was discovered that the LDAP authentication modules for the Prosody Jabber/XMPP server incorrectly validated the XMPP address when checking whether a user has admin access For the oldstable distribution (stretch), this problem has been fixed in version 00~hg201701233ed504b944e5+dfsg-1+deb9u1 For the stable distribution (buster), this problem ...

CWE-863 https://hg.prosody.im/prosody-modules/log/tip/mod_auth_ldap/mod_auth_ldap.lua https://hg.prosody.im/prosody-modules/log/tip/mod_auth_ldap2/mod_auth_ldap2.lua https://prosody.im/security/advisory_20200128/https://www.debian.org/security/2020/dsa-4612 https://seclists.org/bugtraq/2020/Feb/5 https://nvd.nist.gov https://www.debian.org/security/2020/dsa-4612

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2020-8086

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect