Published: 26/08/2022 Updated: 07/11/2023

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 0

It exists that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).

Vulnerable Product	Search on Vulmon	Subscribe to Product
prosody prosody

Debian Bug report logs - #1003696 prosody: CVE-2022-0217: Unauthenticated Remote Denial of Service Attack in the WebSocket interface Package: src:prosody; Maintainer for src:prosody is Debian XMPP Maintainers <pkg-xmpp-devel@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, 13 ...

Matthew Wild discovered that the WebSockets code in Prosody, a lightweight Jabber/XMPP server, was susceptible to denial of service For the oldstable distribution (buster), this problem has been fixed in version 0112-1+deb10u3 For the stable distribution (bullseye), this problem has been fixed in version 0119-2+deb11u1 We recommend that you ...

Hi, The fix for this issue introduced a regression in the from of a memory leak (of the unintentional reference variety, not a true leak) A fix for can be found in this commit: hgprosodyim/trunk/rev/e5e0ab93d7f4 -- Regards, Kim "Zash" Alvefur ...

On Donnerstag, 13 Januar 2022 15:01:11 CET Jonas Schäfer wrote: As promised, attached you'll find instructions for probing for the vulnerability kind regards, Jonas ...

Hi again, CVE-2022-0217 has been assigned kind regards, Jonas ...

Hi, quick update: On Donnerstag, 13 Januar 2022 15:01:11 CET Jonas Schäfer wrote: This only works on recent Prosody trunk On 011x and earlier, you need to - use module:unload("websocket") from the telnet console, OR - unload the module via an XMPP Ad-Hoc command OR - if neither of these online ways are available, remove the module from th ...

Hi everyone, A remote unauthenticated denial of service / resource exhaustion attack was discovered in all Prosody servers with WebSockets enabled and publicly accessible Upstream builds have been started and should be available shortly The closely related Snikket project will publish new images shortly, too Jitsi Meet have been informed a ...

CWE-611 CWE-776 https://prosody.im/security/advisory_20220113/https://bugzilla.redhat.com/show_bug.cgi?id=2040639 https://prosody.im/security/advisory_20220113/1.patch https://nvd.nist.gov https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003696 https://www.debian.org/security/2022/dsa-5047

CVE-2022-0217

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Mailing Lists

References

Vulmon Search

About

Products

Connect