CVE-2021-32921

 

Published at: - 13-05-2021 06:15

Last modified: - 22-09-2022 03:00

Total changes: - 11

Description

An issue was discovered in Prosody before 0.11.9. It does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

 

Verification logic

 

Reference

• https://blog.prosody.im/prosody-0.11.9-released/
• [oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)-Mailing List, Third Party Advisory
• [oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)-Mailing List, Mitigation, Third Party Advisory
• DSA-4916-Third Party Advisory
• FEDORA-2021-b5d8c6d086-Mailing List, Third Party Advisory
• https://security.gentoo.org/glsa/202105-15
• FEDORA-2021-498be8f560-Mailing List, Third Party Advisory
• FEDORA-2021-a33f6e36e1-Mailing List, Third Party Advisory
• [debian-lts-announce] 20210616 [SECURITY] [DLA 2687-1] prosody security update-Mailing List, Third Party Advisory
• [debian-lts-announce] 20210619 [SECURITY] [DLA 2687-2] prosody regression update-Third Party Advisory

 

Keywords

NVD

 

CVE-2021-32921

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures