{"id":"CVE-2021-32921","details":"An issue was discovered in Prosody before 0.11.9. It does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker.","modified":"2026-03-15T22:40:48.415471Z","published":"2021-05-13T16:15:08.407Z","references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-4916"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2021/05/14/2"},{"type":"ADVISORY","url":"https://blog.prosody.im/prosody-0.11.9-released/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202105-15"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2021/05/13/1"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/06/msg00018.html"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"0.11.9"}]},{"events":[{"introduced":"0"},{"last_affected":"32"}]},{"events":[{"introduced":"0"},{"last_affected":"33"}]},{"events":[{"introduced":"0"},{"last_affected":"34"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"fixed":"0.11.9"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-32921.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}