5.9

CVE-2022-26491

EPSS 0.49%
Veröffentlicht 02.06.2022 14:15:40
Zuletzt bearbeitet 21.11.2024 06:54:02
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

An issue was discovered in Pidgin before 2.14.9. A remote attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain, allowing the attacker to take over control over the XMPP connection and to obtain user credentials and all communication content. This is similar to CVE-2022-24968.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 9

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Pidgin ≫ Pidgin Version < 2.14.9

Debian ≫ Debian Linux Version9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.49%	0.648

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:P/I:N/A:N

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

https://developer.pidgin.im/wiki/FullChangeLog

Vendor Advisory

Release Notes

https://github.com/xsf/xeps/pull/1158

Patch

Third Party Advisory

https://keep.imfreedom.org/pidgin/pidgin/rev/13cdb7956bdc

Patch

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2022/06/msg00005.html

Third Party Advisory

Mailing List

https://mail.jabber.org/pipermail/standards/2022-February/038759.html

Third Party Advisory

Mailing List

https://pidgin.im/about/security/advisories/cve-2022-26491/

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-26491

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-26491

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-26491

EUVD