Denial of Service Vulnerability in Prosody by Prosody Solutions
CVE-2017-18265

7.5HIGH

Key Information:

Vendor

Prosody

Status
Prosody
Vendor
CVE Published:
9 May 2018

What is CVE-2017-18265?

A vulnerability exists in Prosody versions prior to 0.10.0 that permits remote attackers to trigger a denial of service, leading to an application crash. This issue arises due to compatibility problems with specific releases of the LuaSocket library, such as the lua-socket package from Debian stretch. The potential attacker must generate a stream error, which can cause failures in functions like the c2s module, compromising the reliability of the service.

References

https://www.debian.org/security/2018/dsa-4198
vendor-advisoryx_refsource_DEBIAN
https://hg.prosody.im/0.9/rev/176b7f4e4ac9
x_refsource_MISC
https://hg.prosody.im/0.9/rev/adfffc5b4e2a
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.