Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4.3
CVSSv2

CVE-2021-32921

Published: 13/05/2021 Updated: 07/11/2023
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
Subscribe to Prosody

Vulnerability Summary

An issue exists in Prosody prior to 0.11.9. It does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

prosody prosody

fedoraproject fedora 32

fedoraproject fedora 33

fedoraproject fedora 34

debian debian linux 9.0

Vendor Advisories

Debian CVElist Bug Report Logs: prosody: CVE-2021-32917 CVE-2021-32918 CVE-2021-32919 CVE-2021-32920 CVE-2021-32921
Debian Bug report logs - #988668 prosody: CVE-2021-32917 CVE-2021-32918 CVE-2021-32919 CVE-2021-32920 CVE-2021-32921 Package: src:prosody; Maintainer for src:prosody is Debian XMPP Maintainers <pkg-xmpp-devel@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Mon, 17 May 2021 17:12:0 ...
Debian Security Advisories: DSA-4916-1 prosody -- security update
Multiple security issues were found in Prosody, a lightweight Jabber/XMPP server, which could result in denial of service or information disclosure For the stable distribution (buster), these problems have been fixed in version 0112-1+deb10u1 We recommend that you upgrade your prosody packages For the detailed security status of prosody please ...
Arch Linux Issues:
A security issue was found in the Prosodyim XMPP server software before version 0119 It was discovered that Prosody does not use a constant-time algorithm for comparing certain secret strings when running under Lua 52 or later This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker ...

Mailing Lists

Full Disclosure: Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities) <!--X-Subject-Header-End--> <!--X-Head-of-Message--> ...

References

CWE-362https://blog.prosody.im/prosody-0.11.9-released/http://www.openwall.com/lists/oss-security/2021/05/13/1http://www.openwall.com/lists/oss-security/2021/05/14/2https://www.debian.org/security/2021/dsa-4916https://security.gentoo.org/glsa/202105-15https://lists.debian.org/debian-lts-announce/2021/06/msg00016.htmlhttps://lists.debian.org/debian-lts-announce/2021/06/msg00018.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988668https://nvd.nist.govhttps://www.debian.org/security/2021/dsa-4916
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-7028memory leaklog injectionCVE-2024-3400CVE-2022-48695CVE-2022-48675CVE-2024-34487CVE-2024-33792spoof
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook