[ASA-202108-11] prosody: information disclosure
Arch Linux Security Advisory ASA-202108-11 ========================================== Severity: Medium Date : 2021-08-10 CVE-ID : CVE-2021-37601 Package : prosody Type : information disclosure Remote : Yes Link : https://security.archlinux.org/AVG-2237 Summary ======= The package prosody before version 1:0.11.10-1 is vulnerable to information disclosure. Resolution ========== Upgrade to 1:0.11.10-1. # pacman -Syu "prosody>=1:0.11.10-1" The problem has been fixed upstream in version 0.11.10. Workaround ========== None. Description =========== It was discovered that Prosody 0.11.0 up to 0.11.9 exposes the list of entities (Jabber/XMPP addresses) affiliated (part of) a Multi-User chat to any user, even if they are currently not part of the chat or if their affiliation would not let them become part of the chat, if the whois room configuration was set to anyone. This allows any entity to access the list of admins, members, owners and banned entities of any federated XMPP group chat of which they know the address if it is hosted on a vulnerable Prosody server. Impact ====== A remote attacker could disclose the list of admins, members, owners and banned entities of any federated XMPP group chat of which they know the address. References ========== https://bugs.archlinux.org/task/71641 https://prosody.im/security/advisory_20210722/ https://prosody.im/security/advisory_20210722/1.patch https://hg.prosody.im/0.11/rev/d117b92fd8e4 https://security.archlinux.org/CVE-2021-37601
participants (1)
-
Jonas Witschel