MidnightBSD

Advisories for lightwitch

CVE-2014-2743 HIGH

plugins/mod_compression.lua in Lightwitch Metronome through 3.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
lightwitch metronome *
CVE-2014-2744 HIGH

plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an "xmppbomb" attack.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
prosody prosody *
prosody prosody 0.5.0
prosody prosody 0.5.1
lightwitch metronome *
prosody prosody 0.6.2
prosody prosody 0.6.0
prosody prosody 0.3.0
prosody prosody 0.4.0
prosody prosody 0.8.1
prosody prosody 0.9.1
prosody prosody 0.9.2
prosody prosody 0.5.2
prosody prosody 0.9.0
prosody prosody 0.4.1
prosody prosody 0.8.2
prosody prosody 0.7.0
prosody prosody 0.4.2
prosody prosody 0.8.0
prosody prosody 0.1.0
prosody prosody 0.6.1
prosody prosody 0.2.0