CVE-2018-10847
4.2
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Prosody did not verify that the virtual host associated with a user session remained the same across stream restarts. A user may authenticate to XMPP host A and migrate their authenticated session to XMPP host B of the same Prosody instance.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| [UNKNOWN] | prosody | 0.10.2 | affected |
| [UNKNOWN] | prosody | 0.9.14 | affected |
Weaknesses
- CWE-592: CWE-592
ADP Enrichment
CVE Program Container
Additional References
- https://issues.prosody.im/1147
- https://blog.prosody.im/prosody-0-10-2-security-release/
- https://www.debian.org/security/2018/dsa-4216
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10847
- https://prosody.im/security/advisory_20180531/
References
- https://issues.prosody.im/1147
- https://blog.prosody.im/prosody-0-10-2-security-release/
- https://www.debian.org/security/2018/dsa-4216
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10847
- https://prosody.im/security/advisory_20180531/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.