Remote Information Disclosure in Prosody XMPP Server
CVE-2021-37601

7.5HIGH

Key Information:

Vendor

Prosody

Status
Prosody
Vendor
CVE Published:
30 July 2021

What is CVE-2021-37601?

The muc.lib.lua component in Prosody versions 0.11.0 through 0.11.9 contains a vulnerability that allows remote attackers to gain unauthorized access to sensitive information within multi-user chat rooms. This includes details about admins, members, owners, and banned entities, potentially leading to significant privacy breaches if configured inappropriately. Users of affected versions are urged to review their configurations and apply security updates as needed.

References

https://prosody.im/security/advisory_20210722/
x_refsource_MISC
https://prosody.im/
x_refsource_MISC
http://www.openwall.com/lists/oss-security/2021/07/28/4
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.