CVE-2017-18265 - Vulnerability Details - OpenCVE

Prosody before 0.10.0 allows remote attackers to cause a denial of service (application crash), related to an incompatibility with certain versions of the LuaSocket library, such as the lua-socket package from Debian stretch. The attacker needs to trigger a stream error. A crash can be observed in, for example, the c2s module.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Prosody	Prosody

Configuration 1 [-]

cpe:2.3:a:prosody:prosody:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://bugs.debian.org/875829
https://hg.prosody.im/0.9/rev/176b7f4e4ac9
https://hg.prosody.im/0.9/rev/adfffc5b4e2a
https://prosody.im/issues/issue/987
https://www.debian.org/security/2018/dsa-4198

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-05-09T17:00:00

Updated: 2024-08-05T21:13:49.298Z

Reserved: 2018-05-09T00:00:00

Link: CVE-2017-18265

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-05-09T17:29:00.227

Modified: 2024-11-21T03:19:43.317

Link: CVE-2017-18265

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-05-09T00:00:00", "descriptions": [{"lang": "en", "value": "Prosody before 0.10.0 allows remote attackers to cause a denial of service (application crash), related to an incompatibility with certain versions of the LuaSocket library, such as the lua-socket package from Debian stretch. The attacker needs to trigger a stream error. A crash can be observed in, for example, the c2s module."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-05-11T09:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "DSA-4198", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2018/dsa-4198"}, {"tags": ["x_refsource_MISC"], "url": "https://hg.prosody.im/0.9/rev/176b7f4e4ac9"}, {"tags": ["x_refsource_MISC"], "url": "https://hg.prosody.im/0.9/rev/adfffc5b4e2a"}, {"tags": ["x_refsource_MISC"], "url": "https://prosody.im/issues/issue/987"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.debian.org/875829"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-18265", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Prosody before 0.10.0 allows remote attackers to cause a denial of service (application crash), related to an incompatibility with certain versions of the LuaSocket library, such as the lua-socket package from Debian stretch. The attacker needs to trigger a stream error. A crash can be observed in, for example, the c2s module."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "DSA-4198", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2018/dsa-4198"}, {"name": "https://hg.prosody.im/0.9/rev/176b7f4e4ac9", "refsource": "MISC", "url": "https://hg.prosody.im/0.9/rev/176b7f4e4ac9"}, {"name": "https://hg.prosody.im/0.9/rev/adfffc5b4e2a", "refsource": "MISC", "url": "https://hg.prosody.im/0.9/rev/adfffc5b4e2a"}, {"name": "https://prosody.im/issues/issue/987", "refsource": "MISC", "url": "https://prosody.im/issues/issue/987"}, {"name": "https://bugs.debian.org/875829", "refsource": "MISC", "url": "https://bugs.debian.org/875829"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T21:13:49.298Z"}, "title": "CVE Program Container", "references": [{"name": "DSA-4198", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2018/dsa-4198"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hg.prosody.im/0.9/rev/176b7f4e4ac9"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hg.prosody.im/0.9/rev/adfffc5b4e2a"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://prosody.im/issues/issue/987"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugs.debian.org/875829"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-18265", "datePublished": "2018-05-09T17:00:00", "dateReserved": "2018-05-09T00:00:00", "dateUpdated": "2024-08-05T21:13:49.298Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:prosody:prosody:*:*:*:*:*:*:*:*", "matchCriteriaId": "74F219C3-EABA-407F-BBD6-65C8381B2238", "versionEndExcluding": "0.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Prosody before 0.10.0 allows remote attackers to cause a denial of service (application crash), related to an incompatibility with certain versions of the LuaSocket library, such as the lua-socket package from Debian stretch. The attacker needs to trigger a stream error. A crash can be observed in, for example, the c2s module."}, {"lang": "es", "value": "Prosody en versiones anteriores a la 0.10.0 permite que atacantes remotos provoquen una denegaci\u00f3n de servicio (cierre inesperado de la aplicaci\u00f3n). Esto est\u00e1 relacionado con una incompatibilidad con ciertas versiones de la biblioteca LuaSocket, como el paquete lua-socket de Debian stretch. El atacante necesita desencadenar un error de stream. Se puede observar un cierre inesperado, por ejemplo, en el m\u00f3dulo c2s."}], "id": "CVE-2017-18265", "lastModified": "2024-11-21T03:19:43.317", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-05-09T17:29:00.227", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking", "Mailing List"], "url": "https://bugs.debian.org/875829"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://hg.prosody.im/0.9/rev/176b7f4e4ac9"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://hg.prosody.im/0.9/rev/adfffc5b4e2a"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://prosody.im/issues/issue/987"}, {"source": "cve@mitre.org", "tags": ["Technical Description"], "url": "https://www.debian.org/security/2018/dsa-4198"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Mailing List"], "url": "https://bugs.debian.org/875829"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://hg.prosody.im/0.9/rev/176b7f4e4ac9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://hg.prosody.im/0.9/rev/adfffc5b4e2a"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://prosody.im/issues/issue/987"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Technical Description"], "url": "https://www.debian.org/security/2018/dsa-4198"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}