---

CVE-2021-32921 - log back

CVE-2021-32921 edited at 19 May 2021 15:17:36
References	https://prosody.im/security/advisory_20210512/#use-of-timing-dependent-string-comparison-with-sensitive-values https://hg.prosody.im/trunk/rev/c98aebe601f9 https://hg.prosody.im/trunk/rev/13b84682518e https://hg.prosody.im/trunk/rev/6f56170ea986
Notes	+ The issue can partly be mitigated by enabling and configuring rate limits through mod_limits in order to lengthen the amount of time required to successfully complete a timing attack.

CVE-2021-32921 edited at 13 May 2021 15:14:45
Severity	- Unknown + Medium
Remote	- Unknown + Remote
Type	- Unknown + Information disclosure
Description	+ A security issue was found in the Prosody.im XMPP server software before version 0.11.9. It was discovered that Prosody does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker.
References	+ https://prosody.im/security/advisory_20210512/#use-of-timing-dependent-string-comparison-with-sensitive-values + https://hg.prosody.im/trunk/rev/c98aebe601f9 + https://hg.prosody.im/trunk/rev/13b84682518e + https://hg.prosody.im/trunk/rev/6f56170ea986

CVE-2021-32921 created at 13 May 2021 14:59:33