CVE-2021-37601 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Information disclosure
Description	It was discovered that Prosody 0.11.0 up to 0.11.9 exposes the list of entities (Jabber/XMPP addresses) affiliated (part of) a Multi-User chat to any user, even if they are currently not part of the chat or if their affiliation would not let them become part of the chat, if the whois room configuration was set to anyone. This allows any entity to access the list of admins, members, owners and banned entities of any federated XMPP group chat of which they know the address if it is hosted on a vulnerable Prosody server.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2237	prosody	1:0.11.9-2	1:0.11.10-1	Medium	Fixed	FS#71641

Date	Advisory	Group	Package	Severity	Type
10 Aug 2021	ASA-202108-11	AVG-2237	prosody	Medium	information disclosure

References
https://prosody.im/security/advisory_20210722/ https://prosody.im/security/advisory_20210722/1.patch https://hg.prosody.im/0.11/rev/d117b92fd8e4