The ParseRoster component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify the from attribute of a roster-query IQ stanza, which allows remote attackers to spoof IQ responses via a crafted attribute.
References
| Link | Resource |
|---|---|
| http://community.igniterealtime.org/blogs/ignite/2014/04/17/asmack-400-rc1-has-been-released | Vendor Advisory |
| http://rhn.redhat.com/errata/RHSA-2015-1176.html | Third Party Advisory |
| http://secunia.com/advisories/59290 | Third Party Advisory |
| http://secunia.com/advisories/59291 | Third Party Advisory |
| http://www.kb.cert.org/vuls/id/489228 | Third Party Advisory US Government Resource |
| http://www.securityfocus.com/bid/67124 | Third Party Advisory VDB Entry |
Configurations
History
23 Feb 2021, 16:13
| Type | Values Removed | Values Added |
|---|---|---|
| References | (CONFIRM) http://community.igniterealtime.org/blogs/ignite/2014/04/17/asmack-400-rc1-has-been-released - Vendor Advisory | |
| References | (REDHAT) http://rhn.redhat.com/errata/RHSA-2015-1176.html - Third Party Advisory | |
| References | (BID) http://www.securityfocus.com/bid/67124 - Third Party Advisory, VDB Entry | |
| References | (SECUNIA) http://secunia.com/advisories/59290 - Third Party Advisory | |
| References | (SECUNIA) http://secunia.com/advisories/59291 - Third Party Advisory | |
| References | (CERT-VN) http://www.kb.cert.org/vuls/id/489228 - Third Party Advisory, US Government Resource | |
| CWE | CWE-345 | |
| CPE | cpe:2.3:a:igniterealtime:smack:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-16:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:3.3.0:*:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:3.0.2:*:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:3.2.2:*:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-12:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:3.2.0:*:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-11:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-18:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-26:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-21:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:2.2.0:*:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:3.0.1:*:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-13:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-04-06:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:3.0.0:*:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-10:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:3.0.3:*:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-04-13:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:3.4.0:*:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-04-09:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-29:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-02-16:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:*:snapshot-2014-04-15:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-02-19:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:3.3.1:*:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-02:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-02-21:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:3.2.1:*:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-02-18:*:*:*:*:*:* cpe:2.3:a:redhat:jboss_fuse:*:*:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-02-20:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-25:*:*:*:*:*:* cpe:2.3:a:igniterealtime:smack:4.0.0:snapshot-2014-03-03:*:*:*:*:*:* |
cpe:2.3:a:igniterealtime:smack:*:*:*:*:*:*:*:* |
Information
Published : 2014-04-30 10:49
Updated : 2023-12-10 11:31
NVD link : CVE-2014-0364
Mitre link : CVE-2014-0364
CVE.ORG link : CVE-2014-0364
JSON object : View
Products Affected
igniterealtime
- smack
CWE
CWE-345
Insufficient Verification of Data Authenticity