CVE-2014-2744

NONE EPSS 87.1%
Published Apr 11, 201412y ago · Modified Jun 17, 20262w ago
Find Similar
Published Apr 11, 2014 12y ago
Last Modified Jun 17, 2026 2w ago

Description

plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an "xmppbomb" attack.

Threat Intelligence

EPSS Exploit Probability
87.1% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-20 Improper Input Validation Validation

Affected Products 21

VendorProductVersionRange
lightwitchmetronome* ≤3.4
prosodyprosody* ≤0.9.3
prosodyprosody0.1.0any
prosodyprosody0.2.0any
prosodyprosody0.3.0any
prosodyprosody0.4.0any
prosodyprosody0.4.1any
prosodyprosody0.4.2any
prosodyprosody0.5.0any
prosodyprosody0.5.1any
prosodyprosody0.5.2any
prosodyprosody0.6.0any
prosodyprosody0.6.1any
prosodyprosody0.6.2any
prosodyprosody0.7.0any
prosodyprosody0.8.0any
prosodyprosody0.8.1any
prosodyprosody0.8.2any
prosodyprosody0.9.0any
prosodyprosody0.9.1any
prosodyprosody0.9.2any

References 8

  • blog.prosody.im http://blog.prosody.im/prosody-0-9-4-released/
    Vendor Advisory
  • code.lightwitch.org http://code.lightwitch.org/metronome/rev/49f47277a411
    ExploitPatch
  • hg.prosody.im http://hg.prosody.im/0.9/rev/b3b1c9da38fb
    ExploitPatch
  • openwall.com http://openwall.com/lists/oss-security/2014/04/07/7
  • openwall.com http://openwall.com/lists/oss-security/2014/04/09/1
  • secunia.com http://secunia.com/advisories/57710
  • debian.org http://www.debian.org/security/2014/dsa-2895
  • xmpp.org http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/

Remediation