CVE-2014-2744
NONE EPSS 87.1%
Published Apr 11, 201412y ago · Modified Jun 17, 20262w ago
Published Apr 11, 2014 12y ago
Last Modified Jun 17, 2026 2w ago
Description
plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an "xmppbomb" attack.
Threat Intelligence
EPSS Exploit Probability
87.1% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-20 Improper Input Validation Validation
Affected Products 21
| Vendor | Product | Version | Range |
|---|---|---|---|
| lightwitch | metronome | * | ≤3.4 |
| prosody | prosody | * | ≤0.9.3 |
| prosody | prosody | 0.1.0 | any |
| prosody | prosody | 0.2.0 | any |
| prosody | prosody | 0.3.0 | any |
| prosody | prosody | 0.4.0 | any |
| prosody | prosody | 0.4.1 | any |
| prosody | prosody | 0.4.2 | any |
| prosody | prosody | 0.5.0 | any |
| prosody | prosody | 0.5.1 | any |
| prosody | prosody | 0.5.2 | any |
| prosody | prosody | 0.6.0 | any |
| prosody | prosody | 0.6.1 | any |
| prosody | prosody | 0.6.2 | any |
| prosody | prosody | 0.7.0 | any |
| prosody | prosody | 0.8.0 | any |
| prosody | prosody | 0.8.1 | any |
| prosody | prosody | 0.8.2 | any |
| prosody | prosody | 0.9.0 | any |
| prosody | prosody | 0.9.1 | any |
| prosody | prosody | 0.9.2 | any |
References 8
- blog.prosody.im http://blog.prosody.im/prosody-0-9-4-released/
- code.lightwitch.org http://code.lightwitch.org/metronome/rev/49f47277a411
- hg.prosody.im http://hg.prosody.im/0.9/rev/b3b1c9da38fb
- openwall.com http://openwall.com/lists/oss-security/2014/04/07/7
- openwall.com http://openwall.com/lists/oss-security/2014/04/09/1
- secunia.com http://secunia.com/advisories/57710
- debian.org http://www.debian.org/security/2014/dsa-2895
- xmpp.org http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/
Remediation
- code.lightwitch.org http://code.lightwitch.org/metronome/rev/49f47277a411
- hg.prosody.im http://hg.prosody.im/0.9/rev/b3b1c9da38fb