CVE-2021-32917 - log back

CVE-2021-32917 edited at 13 May 2021 15:02:53
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Insufficient validation
Description
+ A security issue was found in the Prosody.im XMPP server software before version 0.11.9. mod_proxy65 is a file transfer proxy provided with Prosody to facilitate the transfer of files and other data between XMPP clients.
+
+ It was discovered that the proxy65 component of Prosody allows open access by default, even if neither of the users have an XMPP account on the local server, allowing unrestricted use of the server's bandwidth.
+
+ The default configuration does not enable mod_proxy65 and is not affected. With mod_proxy65 enabled, all configurations without a 'proxy65_acl' setting configured are affected.
References
+ https://prosody.im/security/advisory_20210512/#use-of-mod_proxy65-is-unrestricted-in-default-configuration
+ https://hg.prosody.im/trunk/rev/65dcc175ef5b
Notes
+ Workaround
+ ==========
+
+ The issue can be mitigated by configuring 'proxy65_acl' to a list of XMPP domains that should be allowed to use the file transfer proxy.
CVE-2021-32917 created at 13 May 2021 14:59:33