CVE-2021-37601: 
NixOS vulnerability analysis and mitigation

CVE-2021-37601 affects muc.lib.lua in Prosody versions 0.11.0 through 0.11.9. The vulnerability was discovered in July 2021 and allows remote attackers to obtain sensitive information, specifically lists of admins, members, owners, and banned entities of Multi-User chat rooms in some common configurations (Prosody Advisory, NVD).

The vulnerability has a CVSS 3.1 Base Score of 7.5 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue specifically affects Multi-User chat rooms that are configured to share real addresses of occupants with all other occupants (non-anonymous). The impact is particularly significant for rooms configured as 'members-only', which is a common setup for rooms using OMEMO end-to-end encryption (Prosody Advisory).

The vulnerability allows unauthorized entities to access the list of admins, members, owners, and banned entities of any federated XMPP group chat hosted on a vulnerable Prosody server, provided they know the chat room's address. This information disclosure is particularly concerning for private group chats and members-only rooms (Prosody Advisory).

The vulnerability was fixed in Prosody version 0.11.10, released on August 3, 2021. For systems unable to upgrade immediately, a manual patch can be applied to the muc.lib.lua file. The patch can be applied to any Prosody installation from 0.11.0 to 0.11.9. After applying the patch, the MUC component must be reloaded or Prosody must be restarted (Prosody Advisory, Fedora Update).