ID

VAR-202105-0755


CVE

CVE-2021-32921


TITLE

Prosody  Race Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-006911

DESCRIPTION

An issue was discovered in Prosody before 0.11.9. It does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker. Prosody Is vulnerable to a race condition.Information may be obtained. Prosodical Thoughts Prosody is an open source application system of Prosodical Thoughts. A modern XMPP communication server. Remote attackers can use this vulnerability to obtain sensitive information. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. For the stable distribution (buster), these problems have been fixed in version 0.11.2-1+deb10u1. We recommend that you upgrade your prosody packages. For the detailed security status of prosody please refer to its security tracker page at: https://security-tracker.debian.org/tracker/prosody Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmCi0+8ACgkQEMKTtsN8 TjZnCg/+NZAMCpnKUqKs3vy7pZkXJXgCmCQgs3TYMXPGty3GuhjCO6Ao2sLnb0OE Jh6QBpgUmGknhMEuU6wbscBK8oMUEkVvvrlFv1sjp8yHwqQ65KkZvnNNbOsVBFXB Yy/aQzk8bYe601ZLXLR29IBVGPUA9+rjUXMqeBNok5LyEQW00yhe/WOOf8UqU7Ly NteRRmc8aR3WL392EVChvKNtVftC+5n6CtegXwzD+OQYCWFEmKbo449ySQJDHHfY oWvQBH9mk+lrfrRgIXqqZ9zFCEAg1cRaUQc0EBLkHFmRbHWCk/Ybk7mUm0dc3BFv OdOHYR3+IHedOjhuBaDnbexffQaVpP8G8/av9Hpzu+SRbmlDVRNfzrtG6M3k3SGn S9j7ah/uxsmuwYXQ4gjnYAhlpRDRkswpms22fZr4wEWRy17LgIIWQh1zIwii3s+U M1uMhU56F0jjZ/X+SGhIdUIKhcKIv+vPbxlBM700T3VLDhpoWhd4+K6JZFcXhMeT mIv12dghuHXwNp9ONw3kC946CLIMcerRqI1eB13f0XZw//+IcqBMPR6PzSkxqRdA KxEOPLzipHNtnNTo/RevUyI1hbi1eWW0QT/sLtuhFSzQUtOW0EFf8ZxJFHBaADeu vBvc9XewmRRGPpwXj42GaYZ/5c7VE3hiMEvdhFimSt666MnwhKg= =miBj -----END PGP SIGNATURE----- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202105-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Prosŏdy IM: Multiple vulnerabilities Date: May 26, 2021 Bugs: #771144, #789969 ID: 202105-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Prosŏdy IM, the worst of which could result in a Denial of Service condition. It aims to be easy to set up and configure, and efficient with system resources. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-im/prosody < 0.11.9 >= 0.11.9 Description =========== Multiple vulnerabilities have been discovered in Prosŏdy IM. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Prosŏdy IM users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-im/prosody-0.11.9" References ========== [ 1 ] CVE-2021-32917 https://nvd.nist.gov/vuln/detail/CVE-2021-32917 [ 2 ] CVE-2021-32918 https://nvd.nist.gov/vuln/detail/CVE-2021-32918 [ 3 ] CVE-2021-32919 https://nvd.nist.gov/vuln/detail/CVE-2021-32919 [ 4 ] CVE-2021-32920 https://nvd.nist.gov/vuln/detail/CVE-2021-32920 [ 5 ] CVE-2021-32921 https://nvd.nist.gov/vuln/detail/CVE-2021-32921 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-15 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

Trust: 2.97

sources: NVD: CVE-2021-32921 // JVNDB: JVNDB-2021-006911 // CNVD: CNVD-2021-47380 // CNNVD: CNNVD-202104-975 // VULMON: CVE-2021-32921 // PACKETSTORM: 169060 // PACKETSTORM: 162828

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-47380

AFFECTED PRODUCTS

vendor:fedoraprojectmodel:fedorascope:eqversion:32

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:34

Trust: 1.0

vendor:prosodymodel:prosodyscope:ltversion:0.11.9

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:9.0

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:33

Trust: 1.0

vendor:fedoramodel:fedorascope: - version: -

Trust: 0.8

vendor:the prosody teammodel:prosodyscope: - version: -

Trust: 0.8

vendor:debianmodel:gnu/linuxscope: - version: -

Trust: 0.8

vendor:prosodymodel:prosodyscope:eqversion:0.11.9

Trust: 0.6

sources: CNVD: CNVD-2021-47380 // JVNDB: JVNDB-2021-006911 // NVD: CVE-2021-32921

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-32921
value: MEDIUM

Trust: 1.0

NVD: CVE-2021-32921
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2021-47380
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202105-841
value: MEDIUM

Trust: 0.6

VULMON: CVE-2021-32921
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-32921
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2021-47380
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2021-32921
baseSeverity: MEDIUM
baseScore: 5.9
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.2
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2021-32921
baseSeverity: MEDIUM
baseScore: 5.9
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2021-47380 // VULMON: CVE-2021-32921 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-841 // JVNDB: JVNDB-2021-006911 // NVD: CVE-2021-32921

PROBLEMTYPE DATA

problemtype:CWE-362

Trust: 1.0

problemtype:Race condition (CWE-362) [NVD Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-006911 // NVD: CVE-2021-32921

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202105-841

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:FEDORA-2021-a33f6e36e1 The Prosody TeamProsodyurl:https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html

Trust: 0.8

title:Patch for Prosodical Thoughts Prosody has unspecified vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/276796

Trust: 0.6

title:Prosodical Thoughts Prosody Repair measures for the competition condition problem loopholeurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=151579

Trust: 0.6

title:Debian CVElist Bug Report Logs: prosody: CVE-2021-32917 CVE-2021-32918 CVE-2021-32919 CVE-2021-32920 CVE-2021-32921url:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=7e41f41000c2cab381645f71a452e062

Trust: 0.1

title:Debian Security Advisories: DSA-4916-1 prosody -- security updateurl:https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=4c6e99d47bcacbd4d7778a12ef9e2dd1

Trust: 0.1

title:Arch Linux Issues: url:https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2021-32921 log

Trust: 0.1

title:Arch Linux Advisories: [ASA-202105-11] prosody: multiple issuesurl:https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-202105-11

Trust: 0.1

sources: CNVD: CNVD-2021-47380 // VULMON: CVE-2021-32921 // CNNVD: CNNVD-202105-841 // JVNDB: JVNDB-2021-006911

EXTERNAL IDS

db:NVDid:CVE-2021-32921

Trust: 4.1

db:OPENWALLid:OSS-SECURITY/2021/05/14/2

Trust: 2.3

db:OPENWALLid:OSS-SECURITY/2021/05/13/1

Trust: 1.7

db:JVNDBid:JVNDB-2021-006911

Trust: 0.8

db:PACKETSTORMid:162828

Trust: 0.7

db:CNVDid:CNVD-2021-47380

Trust: 0.6

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:CS-HELPid:SB2021051714

Trust: 0.6

db:CS-HELPid:SB2021052610

Trust: 0.6

db:CS-HELPid:SB2021051924

Trust: 0.6

db:AUSCERTid:ESB-2021.2143

Trust: 0.6

db:AUSCERTid:ESB-2021.1668

Trust: 0.6

db:CNNVDid:CNNVD-202105-841

Trust: 0.6

db:VULMONid:CVE-2021-32921

Trust: 0.1

db:PACKETSTORMid:169060

Trust: 0.1

sources: CNVD: CNVD-2021-47380 // VULMON: CVE-2021-32921 // PACKETSTORM: 169060 // PACKETSTORM: 162828 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-841 // JVNDB: JVNDB-2021-006911 // NVD: CVE-2021-32921

REFERENCES

url:http://www.openwall.com/lists/oss-security/2021/05/14/2

Trust: 2.3

url:https://www.debian.org/security/2021/dsa-4916

Trust: 1.8

url:https://blog.prosody.im/prosody-0.11.9-released/

Trust: 1.7

url:http://www.openwall.com/lists/oss-security/2021/05/13/1

Trust: 1.7

url:https://security.gentoo.org/glsa/202105-15

Trust: 1.7

url:https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html

Trust: 1.6

url:https://nvd.nist.gov/vuln/detail/cve-2021-32921

Trust: 1.0

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6mffbzwxkpzevznqsvjncue7wrf3t7dg/

Trust: 1.0

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/gun63ahewb2wrrojhu3bvjrwlonct2b7/

Trust: 1.0

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/lwj2dg2dfjoefewoun26imyywgsa2zee/

Trust: 1.0

url:https://lists.debian.org/debian-lts-announce/2021/06/msg00018.html

Trust: 1.0

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6mffbzwxkpzevznqsvjncue7wrf3t7dg/

Trust: 0.7

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/gun63ahewb2wrrojhu3bvjrwlonct2b7/

Trust: 0.6

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/lwj2dg2dfjoefewoun26imyywgsa2zee/

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021052610

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.2143

Trust: 0.6

url:https://packetstormsecurity.com/files/162828/gentoo-linux-security-advisory-202105-15.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.1668

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021051924

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021051714

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2021-32918

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-32920

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-32917

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-32919

Trust: 0.2

url:https://cwe.mitre.org/data/definitions/362.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988668

Trust: 0.1

url:https://www.debian.org/security/faq

Trust: 0.1

url:https://security-tracker.debian.org/tracker/prosody

Trust: 0.1

url:https://www.debian.org/security/

Trust: 0.1

url:https://bugs.gentoo.org.

Trust: 0.1

url:https://security.gentoo.org/

Trust: 0.1

url:https://creativecommons.org/licenses/by-sa/2.5

Trust: 0.1

sources: CNVD: CNVD-2021-47380 // VULMON: CVE-2021-32921 // PACKETSTORM: 169060 // PACKETSTORM: 162828 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-841 // JVNDB: JVNDB-2021-006911 // NVD: CVE-2021-32921

CREDITS

Debian

Trust: 0.1

sources: PACKETSTORM: 169060

SOURCES

db:CNVDid:CNVD-2021-47380
db:VULMONid:CVE-2021-32921
db:PACKETSTORMid:169060
db:PACKETSTORMid:162828
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202105-841
db:JVNDBid:JVNDB-2021-006911
db:NVDid:CVE-2021-32921

LAST UPDATE DATE

2026-06-19T20:56:14.591000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2021-47380date:2021-07-05T00:00:00
db:VULMONid:CVE-2021-32921date:2021-05-22T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202105-841date:2021-06-17T00:00:00
db:JVNDBid:JVNDB-2021-006911date:2022-01-25T07:26:00
db:NVDid:CVE-2021-32921date:2026-06-17T03:53:48.247

SOURCES RELEASE DATE

db:CNVDid:CNVD-2021-47380date:2021-05-18T00:00:00
db:VULMONid:CVE-2021-32921date:2021-05-13T00:00:00
db:PACKETSTORMid:169060date:2021-05-28T19:12:00
db:PACKETSTORMid:162828date:2021-05-26T17:51:36
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202105-841date:2021-05-13T00:00:00
db:JVNDBid:JVNDB-2021-006911date:2022-01-25T00:00:00
db:NVDid:CVE-2021-32921date:2021-05-13T16:15:08.407