CVE-2014-8760
ejabberd - security update
EPSS 0.26%
Description
ejabberd before 2.1.13 does not enforce the starttls_required setting when compression is used, which causes clients to establish connections without encryption.
How to fix CVE-2014-8760
To remediate CVE-2014-8760, upgrade the affected package to a fixed version below.
- Debian/ejabberd—upgrade to 14.07-3 or later
- Debian/ejabberd—upgrade to 2.1.10-4+deb7u2 or later
Is CVE-2014-8760 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 14.07-3
- from 0, < 2.1.10-4+deb7u2