{"api_version":"1","generated_at":"2026-04-23T02:59:01+00:00","cve":"CVE-2021-32917","urls":{"html":"https://cve.report/CVE-2021-32917","api":"https://cve.report/api/cve/CVE-2021-32917.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-32917","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-32917"},"summary":{"title":"CVE-2021-32917","description":"An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2021-05-13 16:15:00","updated_at":"2023-11-07 03:35:00"},"problem_types":["CWE-862"],"metrics":[],"references":[{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/","name":"FEDORA-2021-a33f6e36e1","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: prosody-0.11.9-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://blog.prosody.im/prosody-0.11.9-released/","name":"https://blog.prosody.im/prosody-0.11.9-released/","refsource":"MISC","tags":[],"title":"Prosody 0.11.9 released | Prosodical Thoughts","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/","name":"FEDORA-2021-b5d8c6d086","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 33 Update: prosody-0.11.9-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2021/05/13/1","name":"[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)","refsource":"MLIST","tags":[],"title":"oss-security - Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.debian.org/security/2021/dsa-4916","name":"DSA-4916","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-4916-1 prosody","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/","name":"FEDORA-2021-a33f6e36e1","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: prosody-0.11.9-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/","name":"FEDORA-2021-498be8f560","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 32 Update: prosody-0.11.9-1.fc32 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/","name":"FEDORA-2021-498be8f560","refsource":"","tags":[],"title":"[SECURITY] Fedora 32 Update: prosody-0.11.9-1.fc32 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html","name":"[debian-lts-announce] 20210616 [SECURITY] [DLA 2687-1] prosody security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2687-1] prosody security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2021/05/14/2","name":"[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)","refsource":"MLIST","tags":[],"title":"oss-security - Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/","name":"FEDORA-2021-b5d8c6d086","refsource":"","tags":[],"title":"[SECURITY] Fedora 33 Update: prosody-0.11.9-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202105-15","name":"https://security.gentoo.org/glsa/202105-15","refsource":"MISC","tags":[],"title":"Prosŏdy IM: Multiple vulnerabilities (GLSA 202105-15) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-32917","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32917","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"32917","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"32917","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"32917","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"32","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"32917","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"33","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"32917","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"34","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"32917","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"prosody","cpe5":"prosody","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-32917","qid":"178602","title":"Debian Security Update for prosody (DSA 4916-1)"},{"cve":"CVE-2021-32917","qid":"178674","title":"Debian Security Update for prosody (DLA 2687-1)"},{"cve":"CVE-2021-32917","qid":"180374","title":"Debian Security Update for prosody (CVE-2021-32917)"},{"cve":"CVE-2021-32917","qid":"281156","title":"Fedora Security Update for prosody (FEDORA-2021-498be8f560)"},{"cve":"CVE-2021-32917","qid":"281157","title":"Fedora Security Update for prosody (FEDORA-2021-b5d8c6d086)"},{"cve":"CVE-2021-32917","qid":"281158","title":"Fedora Security Update for prosody (FEDORA-2021-a33f6e36e1)"},{"cve":"CVE-2021-32917","qid":"501226","title":"Alpine Linux Security Update for prosody"},{"cve":"CVE-2021-32917","qid":"690138","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for prosody (fc75570a-b417-11eb-a23d-c7ab331fd711)"},{"cve":"CVE-2021-32917","qid":"710569","title":"Gentoo Linux Prosody IM Multiple Vulnerabilities (GLSA 202105-15)"},{"cve":"CVE-2021-32917","qid":"750212","title":"OpenSUSE Security Update for prosody (openSUSE-SU-2021:0728-1)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-32917","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://blog.prosody.im/prosody-0.11.9-released/","refsource":"MISC","name":"https://blog.prosody.im/prosody-0.11.9-released/"},{"refsource":"MLIST","name":"[oss-security] 20210513 Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)","url":"http://www.openwall.com/lists/oss-security/2021/05/13/1"},{"refsource":"MLIST","name":"[oss-security] 20210514 Re: Prosody XMPP server advisory 2021-05-12 (multiple vulnerabilities)","url":"http://www.openwall.com/lists/oss-security/2021/05/14/2"},{"refsource":"DEBIAN","name":"DSA-4916","url":"https://www.debian.org/security/2021/dsa-4916"},{"refsource":"FEDORA","name":"FEDORA-2021-b5d8c6d086","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"},{"refsource":"FEDORA","name":"FEDORA-2021-a33f6e36e1","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"},{"refsource":"FEDORA","name":"FEDORA-2021-498be8f560","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"},{"refsource":"MISC","name":"https://security.gentoo.org/glsa/202105-15","url":"https://security.gentoo.org/glsa/202105-15"},{"refsource":"MLIST","name":"[debian-lts-announce] 20210616 [SECURITY] [DLA 2687-1] prosody security update","url":"https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html"}]}},"nvd":{"publishedDate":"2021-05-13 16:15:00","lastModifiedDate":"2023-11-07 03:35:00","problem_types":["CWE-862"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW","baseScore":5.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:N/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:prosody:prosody:*:*:*:*:*:*:*:*","versionEndExcluding":"0.11.9","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"32917","Ordinal":"208305","Title":"CVE-2021-32917","CVE":"CVE-2021-32917","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"32917","Ordinal":"1","NoteData":"An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"32917","Ordinal":"2","NoteData":"2021-05-13","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"32917","Ordinal":"3","NoteData":"2021-06-16","Type":"Other","Title":"Modified"}]}}}