CVE-2020-8086

moderate-risk

Published 2020-01-28

The mod_auth_ldap and mod_auth_ldap2 Community Modules through 2020-01-27 for Prosody incompletely verify the XMPP address passed to the is_admin() function. This grants remote entities admin-only functionality if their username matches the username of a local admin.

Do I need to act?

0.67% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (4)

Mod Auth Ldap

Mod Auth Ldap2

Debian Linux

Affected Vendors

Debian Prosody

References (10)

Third Party Advisory https://hg.prosody.im/prosody-modules/log/tip/mod_auth_ldap/mod_auth_ldap.lua

Third Party Advisory https://hg.prosody.im/prosody-modules/log/tip/mod_auth_ldap2/mod_auth_ldap2.lua

Vendor Advisory https://prosody.im/security/advisory_20200128/

Mailing List https://seclists.org/bugtraq/2020/Feb/5

Third Party Advisory https://www.debian.org/security/2020/dsa-4612

Third Party Advisory https://hg.prosody.im/prosody-modules/log/tip/mod_auth_ldap/mod_auth_ldap.lua

Third Party Advisory https://hg.prosody.im/prosody-modules/log/tip/mod_auth_ldap2/mod_auth_ldap2.lua

Vendor Advisory https://prosody.im/security/advisory_20200128/

Mailing List https://seclists.org/bugtraq/2020/Feb/5

Third Party Advisory https://www.debian.org/security/2020/dsa-4612

/ 100

moderate-risk

Severity 32/34 · Critical

Exploitability 2/34 · Minimal

Exposure 10/34 · Low