CVE-2021-32917 log

Source
Severity Medium
Remote Yes
Type Insufficient validation
Description
A security issue was found in the Prosody.im XMPP server software before version 0.11.9. mod_proxy65 is a file transfer proxy provided with Prosody to facilitate the transfer of files and other data between XMPP clients.

It was discovered that the proxy65 component of Prosody allows open access by default, even if neither of the users have an XMPP account on the local server, allowing unrestricted use of the server's bandwidth.

The default configuration does not enable mod_proxy65 and is not affected. With mod_proxy65 enabled, all configurations without a 'proxy65_acl' setting configured are affected.
Group Package Affected Fixed Severity Status Ticket
AVG-1955 prosody 1:0.11.8-1 1:0.11.9-1 High Fixed
Date Advisory Group Package Severity Type
19 May 2021 ASA-202105-11 AVG-1955 prosody High multiple issues
References
https://prosody.im/security/advisory_20210512/#use-of-mod_proxy65-is-unrestricted-in-default-configuration
https://hg.prosody.im/trunk/rev/65dcc175ef5b
Notes
Workaround
==========

The issue can be mitigated by configuring 'proxy65_acl' to a list of XMPP domains that should be allowed to use the file transfer proxy.