ID

VAR-202105-0754


CVE

CVE-2021-32920


TITLE

Prosody  Resource Depletion Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-006910

DESCRIPTION

Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests. Prosody Is vulnerable to a resource exhaustion.Denial of service (DoS) It may be put into a state. Prosodical Thoughts Prosody is an open source application system of Prosodical Thoughts. A modern XMPP communication server. There were security vulnerabilities before Prosody 0.11.9. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. For the stable distribution (buster), these problems have been fixed in version 0.11.2-1+deb10u1. We recommend that you upgrade your prosody packages. For the detailed security status of prosody please refer to its security tracker page at: https://security-tracker.debian.org/tracker/prosody Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmCi0+8ACgkQEMKTtsN8 TjZnCg/+NZAMCpnKUqKs3vy7pZkXJXgCmCQgs3TYMXPGty3GuhjCO6Ao2sLnb0OE Jh6QBpgUmGknhMEuU6wbscBK8oMUEkVvvrlFv1sjp8yHwqQ65KkZvnNNbOsVBFXB Yy/aQzk8bYe601ZLXLR29IBVGPUA9+rjUXMqeBNok5LyEQW00yhe/WOOf8UqU7Ly NteRRmc8aR3WL392EVChvKNtVftC+5n6CtegXwzD+OQYCWFEmKbo449ySQJDHHfY oWvQBH9mk+lrfrRgIXqqZ9zFCEAg1cRaUQc0EBLkHFmRbHWCk/Ybk7mUm0dc3BFv OdOHYR3+IHedOjhuBaDnbexffQaVpP8G8/av9Hpzu+SRbmlDVRNfzrtG6M3k3SGn S9j7ah/uxsmuwYXQ4gjnYAhlpRDRkswpms22fZr4wEWRy17LgIIWQh1zIwii3s+U M1uMhU56F0jjZ/X+SGhIdUIKhcKIv+vPbxlBM700T3VLDhpoWhd4+K6JZFcXhMeT mIv12dghuHXwNp9ONw3kC946CLIMcerRqI1eB13f0XZw//+IcqBMPR6PzSkxqRdA KxEOPLzipHNtnNTo/RevUyI1hbi1eWW0QT/sLtuhFSzQUtOW0EFf8ZxJFHBaADeu vBvc9XewmRRGPpwXj42GaYZ/5c7VE3hiMEvdhFimSt666MnwhKg= =miBj -----END PGP SIGNATURE----- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Prosŏdy IM: Multiple vulnerabilities Date: May 26, 2021 Bugs: #771144, #789969 ID: 202105-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Prosŏdy IM, the worst of which could result in a Denial of Service condition. It aims to be easy to set up and configure, and efficient with system resources. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-im/prosody < 0.11.9 >= 0.11.9 Description =========== Multiple vulnerabilities have been discovered in Prosŏdy IM. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Prosŏdy IM users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-im/prosody-0.11.9" References ========== [ 1 ] CVE-2021-32917 https://nvd.nist.gov/vuln/detail/CVE-2021-32917 [ 2 ] CVE-2021-32918 https://nvd.nist.gov/vuln/detail/CVE-2021-32918 [ 3 ] CVE-2021-32919 https://nvd.nist.gov/vuln/detail/CVE-2021-32919 [ 4 ] CVE-2021-32920 https://nvd.nist.gov/vuln/detail/CVE-2021-32920 [ 5 ] CVE-2021-32921 https://nvd.nist.gov/vuln/detail/CVE-2021-32921 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-15 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

Trust: 2.97

sources: NVD: CVE-2021-32920 // JVNDB: JVNDB-2021-006910 // CNVD: CNVD-2021-47381 // CNNVD: CNNVD-202104-975 // VULMON: CVE-2021-32920 // PACKETSTORM: 169060 // PACKETSTORM: 162828

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-47381

AFFECTED PRODUCTS

vendor:fedoraprojectmodel:fedorascope:eqversion:32

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:34

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:10.0

Trust: 1.0

vendor:prosodymodel:prosodyscope:ltversion:0.11.9

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:33

Trust: 1.0

vendor:fedoramodel:fedorascope: - version: -

Trust: 0.8

vendor:the prosody teammodel:prosodyscope: - version: -

Trust: 0.8

vendor:debianmodel:gnu/linuxscope: - version: -

Trust: 0.8

vendor:prosodymodel:prosodyscope:eqversion:0.11.9

Trust: 0.6

sources: CNVD: CNVD-2021-47381 // JVNDB: JVNDB-2021-006910 // NVD: CVE-2021-32920

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-32920
value: HIGH

Trust: 1.0

NVD: CVE-2021-32920
value: HIGH

Trust: 0.8

CNVD: CNVD-2021-47381
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202105-840
value: HIGH

Trust: 0.6

VULMON: CVE-2021-32920
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2021-32920
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2021-47381
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2021-32920
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2021-32920
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2021-47381 // VULMON: CVE-2021-32920 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-840 // JVNDB: JVNDB-2021-006910 // NVD: CVE-2021-32920

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:Resource exhaustion (CWE-400) [NVD Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-006910 // NVD: CVE-2021-32920

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202105-840

TYPE

other

Trust: 1.2

sources: CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-840

PATCH

title:Prosody 0.11.9 releasedurl:https://www.debian.org/security/2021/dsa-4916

Trust: 0.8

title:Patch for Prosodical Thoughts Prosody Resource Management Error Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/276801

Trust: 0.6

title:Prosodical Thoughts Prosody Remediation of resource management error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=151578

Trust: 0.6

title:Debian CVElist Bug Report Logs: prosody: CVE-2021-32917 CVE-2021-32918 CVE-2021-32919 CVE-2021-32920 CVE-2021-32921url:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=7e41f41000c2cab381645f71a452e062

Trust: 0.1

title:Debian Security Advisories: DSA-4916-1 prosody -- security updateurl:https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=4c6e99d47bcacbd4d7778a12ef9e2dd1

Trust: 0.1

title:Arch Linux Issues: url:https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2021-32920 log

Trust: 0.1

title:Arch Linux Advisories: [ASA-202105-11] prosody: multiple issuesurl:https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-202105-11

Trust: 0.1

sources: CNVD: CNVD-2021-47381 // VULMON: CVE-2021-32920 // CNNVD: CNNVD-202105-840 // JVNDB: JVNDB-2021-006910

EXTERNAL IDS

db:NVDid:CVE-2021-32920

Trust: 4.1

db:OPENWALLid:OSS-SECURITY/2021/05/14/2

Trust: 2.3

db:OPENWALLid:OSS-SECURITY/2021/05/13/1

Trust: 1.7

db:JVNDBid:JVNDB-2021-006910

Trust: 0.8

db:PACKETSTORMid:162828

Trust: 0.7

db:CNVDid:CNVD-2021-47381

Trust: 0.6

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:CS-HELPid:SB2021052610

Trust: 0.6

db:CS-HELPid:SB2021051924

Trust: 0.6

db:CS-HELPid:SB2021051714

Trust: 0.6

db:AUSCERTid:ESB-2021.1668

Trust: 0.6

db:CNNVDid:CNNVD-202105-840

Trust: 0.6

db:VULMONid:CVE-2021-32920

Trust: 0.1

db:PACKETSTORMid:169060

Trust: 0.1

sources: CNVD: CNVD-2021-47381 // VULMON: CVE-2021-32920 // PACKETSTORM: 169060 // PACKETSTORM: 162828 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-840 // JVNDB: JVNDB-2021-006910 // NVD: CVE-2021-32920

REFERENCES

url:http://www.openwall.com/lists/oss-security/2021/05/14/2

Trust: 2.3

url:https://www.debian.org/security/2021/dsa-4916

Trust: 1.8

url:https://blog.prosody.im/prosody-0.11.9-released/

Trust: 1.7

url:http://www.openwall.com/lists/oss-security/2021/05/13/1

Trust: 1.7

url:https://security.gentoo.org/glsa/202105-15

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2021-32920

Trust: 1.0

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6mffbzwxkpzevznqsvjncue7wrf3t7dg/

Trust: 1.0

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/gun63ahewb2wrrojhu3bvjrwlonct2b7/

Trust: 1.0

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/lwj2dg2dfjoefewoun26imyywgsa2zee/

Trust: 1.0

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6mffbzwxkpzevznqsvjncue7wrf3t7dg/

Trust: 0.7

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/lwj2dg2dfjoefewoun26imyywgsa2zee/

Trust: 0.7

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/gun63ahewb2wrrojhu3bvjrwlonct2b7/

Trust: 0.6

url:https://vigilance.fr/vulnerability/prosody-four-vulnerabilities-35422

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021052610

Trust: 0.6

url:https://packetstormsecurity.com/files/162828/gentoo-linux-security-advisory-202105-15.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.1668

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021051924

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021051714

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2021-32921

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-32918

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-32917

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-32919

Trust: 0.2

url:https://cwe.mitre.org/data/definitions/400.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988668

Trust: 0.1

url:https://www.debian.org/security/faq

Trust: 0.1

url:https://security-tracker.debian.org/tracker/prosody

Trust: 0.1

url:https://www.debian.org/security/

Trust: 0.1

url:https://bugs.gentoo.org.

Trust: 0.1

url:https://security.gentoo.org/

Trust: 0.1

url:https://creativecommons.org/licenses/by-sa/2.5

Trust: 0.1

sources: CNVD: CNVD-2021-47381 // VULMON: CVE-2021-32920 // PACKETSTORM: 169060 // PACKETSTORM: 162828 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-840 // JVNDB: JVNDB-2021-006910 // NVD: CVE-2021-32920

CREDITS

Debian

Trust: 0.1

sources: PACKETSTORM: 169060

SOURCES

db:CNVDid:CNVD-2021-47381
db:VULMONid:CVE-2021-32920
db:PACKETSTORMid:169060
db:PACKETSTORMid:162828
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202105-840
db:JVNDBid:JVNDB-2021-006910
db:NVDid:CVE-2021-32920

LAST UPDATE DATE

2026-06-19T21:16:01.043000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2021-47381date:2021-07-05T00:00:00
db:VULMONid:CVE-2021-32920date:2021-05-22T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202105-840date:2022-07-14T00:00:00
db:JVNDBid:JVNDB-2021-006910date:2022-01-25T07:26:00
db:NVDid:CVE-2021-32920date:2026-06-17T03:53:48.113

SOURCES RELEASE DATE

db:CNVDid:CNVD-2021-47381date:2021-07-05T00:00:00
db:VULMONid:CVE-2021-32920date:2021-05-13T00:00:00
db:PACKETSTORMid:169060date:2021-05-28T19:12:00
db:PACKETSTORMid:162828date:2021-05-26T17:51:36
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202105-840date:2021-05-13T00:00:00
db:JVNDBid:JVNDB-2021-006910date:2022-01-25T00:00:00
db:NVDid:CVE-2021-32920date:2021-05-13T16:15:08.377