CVE-2016-0756

The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generating dialback keys, which allows remote attackers to spoof XMPP network domains via a crafted stream id and domain name that is included in the target domain as a suffix.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 69%
VendorProductVersion
prosodyprosody
𝑥
≤ 0.9.9
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
prosody
bullseye (security)
0.11.9-2+deb11u2
fixed
bullseye
0.11.9-2+deb11u2
fixed
bookworm
0.12.3-1
fixed
trixie
0.12.4-1
fixed
sid
0.12.4-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
prosody
disco
not-affected
cosmic
not-affected
bionic
not-affected
artful
ignored
zesty
ignored
yakkety
ignored
xenial
Fixed 0.9.10-1
released
wily
ignored
vivid
Fixed 0.9.7-2+deb8u3build0.15.04.1
released
trusty
dne
precise
ignored
Common Weakness Enumeration
References
http://blog.prosody.im/prosody-0-9-10-released/
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176796.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176914.html
http://www.debian.org/security/2016/dsa-3463
http://www.openwall.com/lists/oss-security/2016/01/27/10
http://www.securityfocus.com/bid/82241
https://prosody.im/issues/issue/596
https://prosody.im/security/advisory_20160127/
http://blog.prosody.im/prosody-0-9-10-released/
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176796.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176914.html
http://www.debian.org/security/2016/dsa-3463
http://www.openwall.com/lists/oss-security/2016/01/27/10
http://www.securityfocus.com/bid/82241
https://prosody.im/issues/issue/596
https://prosody.im/security/advisory_20160127/