CVE-2014-2745
NONE EPSS 86.3%
Published Apr 11, 201412y ago · Modified Jun 17, 20262w ago
Published Apr 11, 2014 12y ago
Last Modified Jun 17, 2026 2w ago
Description
Prosody before 0.9.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack, related to core/portmanager.lua and util/xmppstream.lua.
Threat Intelligence
EPSS Exploit Probability
86.3% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 1
CWE-264
Affected Products 20
| Vendor | Product | Version | Range |
|---|---|---|---|
| prosody | prosody | * | ≤0.9.3 |
| prosody | prosody | 0.1.0 | any |
| prosody | prosody | 0.2.0 | any |
| prosody | prosody | 0.3.0 | any |
| prosody | prosody | 0.4.0 | any |
| prosody | prosody | 0.4.1 | any |
| prosody | prosody | 0.4.2 | any |
| prosody | prosody | 0.5.0 | any |
| prosody | prosody | 0.5.1 | any |
| prosody | prosody | 0.5.2 | any |
| prosody | prosody | 0.6.0 | any |
| prosody | prosody | 0.6.1 | any |
| prosody | prosody | 0.6.2 | any |
| prosody | prosody | 0.7.0 | any |
| prosody | prosody | 0.8.0 | any |
| prosody | prosody | 0.8.1 | any |
| prosody | prosody | 0.8.2 | any |
| prosody | prosody | 0.9.0 | any |
| prosody | prosody | 0.9.1 | any |
| prosody | prosody | 0.9.2 | any |
References 8
- blog.prosody.im http://blog.prosody.im/prosody-0-9-4-released/
- hg.prosody.im http://hg.prosody.im/0.9/rev/1107d66d2ab2
- hg.prosody.im http://hg.prosody.im/0.9/rev/a97591d2e1ad
- openwall.com http://openwall.com/lists/oss-security/2014/04/07/7
- openwall.com http://openwall.com/lists/oss-security/2014/04/09/1
- secunia.com http://secunia.com/advisories/57710
- debian.org http://www.debian.org/security/2014/dsa-2895
- xmpp.org http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.