CVE-2021-32917 log

Severity Medium
Remote Yes
Type Insufficient validation
A security issue was found in the XMPP server software before version 0.11.9. mod_proxy65 is a file transfer proxy provided with Prosody to facilitate the transfer of files and other data between XMPP clients.

It was discovered that the proxy65 component of Prosody allows open access by default, even if neither of the users have an XMPP account on the local server, allowing unrestricted use of the server's bandwidth.

The default configuration does not enable mod_proxy65 and is not affected. With mod_proxy65 enabled, all configurations without a 'proxy65_acl' setting configured are affected.
Group Package Affected Fixed Severity Status Ticket
AVG-1955 prosody 1:0.11.8-1 1:0.11.9-1 High Fixed
Date Advisory Group Package Severity Type
19 May 2021 ASA-202105-11 AVG-1955 prosody High multiple issues

The issue can be mitigated by configuring 'proxy65_acl' to a list of XMPP domains that should be allowed to use the file transfer proxy.