CVE-2018-10847

Summary

CVE	CVE-2018-10847
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2018-07-30 17:29:00 UTC
Updated	2019-10-09 23:33:00 UTC
Description	prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Prosody did not verify that the virtual host associated with a user session remained the same across stream restarts. A user may authenticate to XMPP host A and migrate their authenticated session to XMPP host B of the same Prosody instance.

Risk And Classification

Problem Types: CWE-287

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Prosody	Prosody	All	All	All	All
Application	Prosody	Prosody	0.10.0	All	All	All
Application	Prosody	Prosody	0.10.1	All	All	All
Application	Prosody	Prosody	All	All	All	All
Application	Prosody	Prosody	0.10.0	All	All	All
Application	Prosody	Prosody	0.10.1	All	All	All

References

Reference	Source	Link	Tags
advisory_20180531	CONFIRM	prosody.im	Vendor Advisory
#1147 Changing "to" address mid-negotiation causes privilege escalation from anonymous account to normal account (closed) - Prosody IM Issue Tracker	CONFIRM	issues.prosody.im	Vendor Advisory
Debian -- Security Information -- DSA-4216-1 prosody	DEBIAN	www.debian.org	Third Party Advisory
Prosody 0.10.2 and 0.9.14 Security Release \| Prosodical Thoughts	CONFIRM	blog.prosody.im	Vendor Advisory
1584801 – (CVE-2018-10847) CVE-2018-10847 prosody: cross-host authentication vulnerability	CONFIRM	bugzilla.redhat.com	Issue Tracking, Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.