CVE-2021-37601

CVE-2021-37601

Name

CVE-2021-37601

Description

muc.lib.lua in Prosody 0.11.0 through 0.11.9 allows remote attackers to obtain sensitive information (list of admins, members, owners, and banned entities of a Multi-User chat room) in some common configurations.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://prosody.im/
MISC	https://prosody.im/security/advisory_20210722/
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EMKIOEP2CYWHVVUCNWISPE4AGH4IR7O2/
Mailing List	http://www.openwall.com/lists/oss-security/2021/07/28/4
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7BZRRPCNOETB4MN4XSYPRBBKDIHO27DY/

Type

URI

MISC

https://prosody.im/

MISC

https://prosody.im/security/advisory_20210722/

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EMKIOEP2CYWHVVUCNWISPE4AGH4IR7O2/

Mailing List

http://www.openwall.com/lists/oss-security/2021/07/28/4

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7BZRRPCNOETB4MN4XSYPRBBKDIHO27DY/

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:prosody:prosody::::::::`	prosody	>= 0.11.0	<= 0.11.9

CPE URI

Source package

Min version

Max version

cpe:2.3:a:prosody:prosody:*:*:*:*:*:*:*:*

prosody

>= 0.11.0

<= 0.11.9

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
prosody	edge-community	0.11.10-r0	Francesco Colista <fcolista@alpinelinux.org>	fixed
prosody	edge-community	0.11.9-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
prosody	3.22-community	0.11.10-r0	None	fixed
prosody	3.22-community	0.11.9-r0	None	possibly vulnerable
prosody	3.21-community	0.11.10-r0	None	fixed
prosody	3.20-community	0.11.10-r0	None	fixed
prosody	3.19-community	0.11.10-r0	None	fixed
prosody	3.18-community	0.11.10-r0	None	fixed
prosody	3.17-community	0.11.10-r0	None	fixed

Source package

Branch

Version

Maintainer

Status

prosody

edge-community

0.11.10-r0

Francesco Colista <fcolista@alpinelinux.org>

fixed

prosody

edge-community