Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2014-0364

Overview

Vulnerability Score 5.0 5.0
CVE Id CVE-2014-0364
Last Modified 13 Jul 2015 01:42:23
Published 30 Apr 2014 06:49:04
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2014-0364

Summary

The ParseRoster component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify the from attribute of a roster-query IQ stanza, which allows remote attackers to spoof IQ responses via a crafted attribute.

Vulnerable Systems

Application

  • Igniterealtime Smack 2.2.0

  • Igniterealtime Smack 2.2.1

  • Igniterealtime Smack 3.0.0

  • Igniterealtime Smack 3.0.1

  • Igniterealtime Smack 3.0.2

  • Igniterealtime Smack 3.0.3

  • Igniterealtime Smack 3.1.0

  • Igniterealtime Smack 3.2.0

  • Igniterealtime Smack 3.2.1

  • Igniterealtime Smack 3.2.2

  • Igniterealtime Smack 3.3.0

  • Igniterealtime Smack 3.3.1

  • Igniterealtime Smack 3.4.0

  • Igniterealtime Smack 4.0.0

  • Redhat Jboss Fuse 6.1.0


References

CERT-VN - VU#489228

CONFIRM - http://community.igniterealtime.org/blogs/ignite/2014/04/17/asmack-400-rc1-has-been-released

REDHAT - RHSA-2015:1176


Last Updated: 27 May 2016 11:05:08