CVE-2017-10807

JabberD 2.x (aka jabberd2) before 2.6.1 allows anyone to authenticate using SASL ANONYMOUS, even when the sasl.anonymous c2s.xml option is not enabled.

CVSS v3.0 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3.0 : CRITICAL

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/jabberd2/jabberd2/releases/tag/jabberd-2.6.1	Third Party Advisory
https://github.com/jabberd2/jabberd2/commit/8416ae54ecefa670534f27a31db71d048b9c7f16	Third Party Advisory
https://bugs.debian.org/867032	Third Party Advisory
http://www.securityfocus.com/bid/99511	Third Party Advisory VDB Entry
http://www.debian.org/security/2017/dsa-3902

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:jabberd2:jabberd2:*:*:*:*:*:*:*:*

Information

Published : 2017-07-04 08:29

Updated : 2017-11-03 18:29

NVD link : CVE-2017-10807

Mitre link : CVE-2017-10807

JSON object : View

CWE

CWE-287

Improper Authentication

Advertisement

Products Affected

jabberd2

jabberd2

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/jabberd2/jabberd2/releases/tag/jabberd-2.6.1", "name": "https://github.com/jabberd2/jabberd2/releases/tag/jabberd-2.6.1", "tags": ["Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "https://github.com/jabberd2/jabberd2/commit/8416ae54ecefa670534f27a31db71d048b9c7f16", "name": "https://github.com/jabberd2/jabberd2/commit/8416ae54ecefa670534f27a31db71d048b9c7f16", "tags": ["Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "https://bugs.debian.org/867032", "name": "https://bugs.debian.org/867032", "tags": ["Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "http://www.securityfocus.com/bid/99511", "name": "99511", "tags": ["Third Party Advisory", "VDB Entry"], "refsource": "BID"}, {"url": "http://www.debian.org/security/2017/dsa-3902", "name": "DSA-3902", "tags": [], "refsource": "DEBIAN"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "JabberD 2.x (aka jabberd2) before 2.6.1 allows anyone to authenticate using SASL ANONYMOUS, even when the sasl.anonymous c2s.xml option is not enabled."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-287"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2017-10807", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "HIGH", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}}, "publishedDate": "2017-07-04T15:29Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:jabberd2:jabberd2:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "2.6.0"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2017-11-04T01:29Z"}