CVE-2014-2745

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 11-04-2014 03:55

Last modified: - 22-09-2022 03:00

Total changes: - 2

Description

Prosody before 0.9.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack, related to core/portmanager.lua and util/xmppstream.lua.

Common Vulnerability Scoring System (CVSS)

AV:N/AC:L/Au:N/C:N/I:N/A:C

Low

Attack complexity

Network

Attack vector

High

Availability

None

Confidentiality

None

Integrity

Privileges required

Scope

User interaction

7.8

Base score

10.0

6.9

Exploitability score

Impact score

Verification logic

Reference

http://blog.prosody.im/prosody-0-9-4-released/
[oss-security] 20140407 Re: Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression-
DSA-2895-
http://hg.prosody.im/0.9/rev/1107d66d2ab2
[oss-security] 20140408 Re: (Openfire M-Link Metronome Prosody Tigase) Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression-
http://hg.prosody.im/0.9/rev/a97591d2e1ad
http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/
57710-

Keywords

CVE-2014-2745

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2014-2745

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures