vulnerability
Arch Linux: Information disclosure (CVE-2021-37601)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:P/I:N/A:N) | Jul 28, 2021 | Jul 11, 2025 | Nov 27, 2025 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Published
Jul 28, 2021
Added
Jul 11, 2025
Modified
Nov 27, 2025
Description
It was discovered that Prosody 0.11.0 up to 0.11.9 exposes the list of entities (Jabber/XMPP addresses) affiliated (part of) a Multi-User chat to any user, even if they are currently not part of the chat or if their affiliation would not let them become part of the chat, if the whois room configuration was set to anyone. This allows any entity to access the list of admins, members, owners and banned entities of any federated XMPP group chat of which they know the address if it is hosted on a vulnerable Prosody server.
Solution
arch-linux-upgrade-latest
References
- CVE-2021-37601
- https://attackerkb.com/topics/CVE-2021-37601
- URL-http://www.openwall.com/lists/oss-security/2021/07/28/4
- URL-https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7BZRRPCNOETB4MN4XSYPRBBKDIHO27DY/
- URL-https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EMKIOEP2CYWHVVUCNWISPE4AGH4IR7O2/
- URL-https://prosody.im/
- URL-https://prosody.im/security/advisory_20210722/
- URL-https://security.archlinux.org/ASA-202108-11
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.