CVE-2016-1232

The mod_dialback module in Prosody before 0.9.9 does not properly generate random values for the secret token for server-to-server dialback authentication, which makes it easier for attackers to spoof servers via a brute force attack.
Severity
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Atk. Vector
NETWORK
Atk. Complexity
LOW
Priv. Required
NONE
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
VendorProductVersion
prosodyprosody
𝑥
≤ 0.9.8
prosodyprosody
0.9.0
prosodyprosody
0.9.1
prosodyprosody
0.9.2
prosodyprosody
0.9.3
prosodyprosody
0.9.4
prosodyprosody
0.9.5
prosodyprosody
0.9.6
prosodyprosody
0.9.7
debiandebian_linux
7.0
debiandebian_linux
8.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
prosody
bullseye (security)
0.11.9-2+deb11u2
fixed
bullseye
0.11.9-2+deb11u2
fixed
bookworm
0.12.3-1
fixed
trixie
0.12.4-1
fixed
sid
0.12.4-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
prosody
zesty
not-affected
yakkety
not-affected
xenial
not-affected
wily
Fixed 0.9.8-1ubuntu0.1
released
vivid
Fixed 0.9.7-2+deb8u2build0.15.04.1
released
trusty
Fixed 0.9.1-1ubuntu0.1
released
precise
ignored