Strix
26.1K

CVE-2014-2744

UnknownEPSS 3.31%

Last modified

CVE-2014-2744 is a vulnerability of currently unknown severity. plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an "xmppbomb" attack.. EPSS estimates a 3.31% chance of exploitation in the next 30 days.

Description

plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an "xmppbomb" attack.

Metrics

EPSS Probability
3.31%

87.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
LightwitchMetronome<= 3.4
ProsodyProsody<= 0.9.3
ProsodyProsody0.1.0
ProsodyProsody0.2.0
ProsodyProsody0.3.0
ProsodyProsody0.4.0
ProsodyProsody0.4.1
ProsodyProsody0.4.2
ProsodyProsody0.5.0
ProsodyProsody0.5.1
ProsodyProsody0.5.2
ProsodyProsody0.6.0
ProsodyProsody0.6.1
ProsodyProsody0.6.2
ProsodyProsody0.7.0
ProsodyProsody0.8.0
ProsodyProsody0.8.1
ProsodyProsody0.8.2
ProsodyProsody0.9.0
ProsodyProsody0.9.1
ProsodyProsody0.9.2

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2014-2744?
plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an "xmppbomb" attack.
How severe is CVE-2014-2744?
Severity scoring for CVE-2014-2744 is pending analysis. The EPSS model estimates a 3.31% probability of exploitation in the next 30 days.
How do I fix CVE-2014-2744?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2014-2744?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST