Executive Summary
Summary | |
---|---|
Title | Openfire: Multiple vulnerabilities |
Informations | |||
---|---|---|---|
Name | GLSA-201406-35 | First vendor Publication | 2014-06-30 |
Vendor | Gentoo | Last vendor Modification | 2014-06-30 |
Severity (Vendor) | Normal | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:C) | |||
---|---|---|---|
Cvss Base Score | 7.8 | Attack Range | Network |
Cvss Impact Score | 6.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Synopsis Multiple vulnerabilities have been found in Openfire, the worst of which could lead to a Denial of Service condition. Background Description Impact Workaround Resolution References Availability http://security.gentoo.org/glsa/glsa-201406-35.xml |
Original Source
Url : http://security.gentoo.org/glsa/glsa-201406-35.xml |
CAPEC : Common Attack Pattern Enumeration & Classification
Id | Name |
---|---|
CAPEC-22 | Exploiting Trust in Client (aka Make the Client Invisible) |
CAPEC-57 | Utilizing REST's Trust in the System Resource to Register Man in the Middle |
CAPEC-94 | Man in the Middle Attack |
CAPEC-114 | Authentication Abuse |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
67 % | CWE-287 | Improper Authentication |
33 % | CWE-264 | Permissions, Privileges, and Access Controls |
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2009-05-18 | Name : Openfire Security Bypass Vulnerabilities File : nvt/gb_openfire_sec_bypass_vuln_may09.nasl |
2009-05-05 | Name : FreeBSD Ports: openfire File : nvt/freebsd_openfire2.nasl |
2008-11-24 | Name : FreeBSD Ports: openfire File : nvt/freebsd_openfire0.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
57568 | Openfire Crafted passwd_change IQ Packet register.password (canChangePassword... |
54189 | Openfire IQAuthHandler.java jabber:iq:auth Crafted passwd_change Request Arbi... Openfire contains a flaw that may allow a malicious user to bypass certain security restrictions. The issue is triggered when the 'no password changes' setting is not properly respected by Openfire. It is possible that the flaw may allow a malicious user to change other users' passwords by sending jabber:iq:auth passwd_change requests to the server resulting in a loss of integrity. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2014-07-14 | Name : The remote host contains an application that is affected by a denial of servi... File : openfire_3_9_2.nasl - Type : ACT_GATHER_INFO |
2014-07-01 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201406-35.nasl - Type : ACT_GATHER_INFO |
2009-05-05 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_e3e30d9958a84a3f8059a8b7cd59b881.nasl - Type : ACT_GATHER_INFO |
2009-05-05 | Name : The remote host contains an application that is affected by a remote password... File : openfire_3_6_4.nasl - Type : ACT_GATHER_INFO |
2008-11-21 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_937adf01b64a11dda55e00163e000016.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-07-02 13:25:55 |
|
2014-06-30 21:23:11 |
|