CVE-2021-37601 - log back

CVE-2021-37601 edited at 03 Aug 2021 14:47:13
References
https://prosody.im/security/advisory_20210722/
https://prosody.im/security/advisory_20210722/1.patch
+ https://hg.prosody.im/0.11/rev/d117b92fd8e4
CVE-2021-37601 edited at 28 Jul 2021 18:45:15
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Information disclosure
Description
+ It was discovered that Prosody 0.11.0 up to 0.11.9 exposes the list of entities (Jabber/XMPP addresses) affiliated (part of) a Multi-User chat to any user, even if they are currently not part of the chat or if their affiliation would not let them become part of the chat, if the whois room configuration was set to anyone. This allows any entity to access the list of admins, members, owners and banned entities of any federated XMPP group chat of which they know the address if it is hosted on a vulnerable Prosody server.
References
+ https://prosody.im/security/advisory_20210722/
+ https://prosody.im/security/advisory_20210722/1.patch
Notes
CVE-2021-37601 created at 28 Jul 2021 18:40:37