VDB
CVE-2014-8760
CVE-2014-8760
PUBLISHED
CVSS 5 MEDIUM
ejabberd before 2.1.13 does not enforce the starttls_required setting when compression is used, which causes clients to establish connections without encryption.
EPSS 0.26% · 50.2th percentile
Risk Scores
CVSS 2.0
5
EPSS Score
0.26%
50.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| process-one | ejabberd | 0 |
| n/a | n/a | * |
Timeline
- Oct 25, 2014 CVE Published
- Feb 4, 2022 EPSS Score
- Mar 29, 2022 EPSS Score
- May 20, 2022 EPSS Score
- Jul 12, 2022 EPSS Score
- Sep 3, 2022 EPSS Score
- Oct 26, 2022 EPSS Score
- Dec 18, 2022 EPSS Score
- Feb 8, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 2, 2023 EPSS Score
- May 25, 2023 EPSS Score
References
- [oss-security] 20141013 CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required mailing-list
- [Operators] 20141013 ejabberd: compression allows circumvention of encryption mailing-list
- http://advisories.mageia.org/MGASA-2014-0417.html url
- https://github.com/processone/ejabberd/commit/7bdc1151b url
- https://bugzilla.redhat.com/show_bug.cgi?id=1153839 url
- MDVSA-2014:207 vendor-advisory
- 70415 vdb
- MDVSA-2015:175 vendor-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2014-8760 advisory