5.9

CVE-2022-26491

EPSS 0.49%
Published 02.06.2022 14:15:40
Last modified 21.11.2024 06:54:02
Source cve@mitre.org
Teams watchlist Login
Open Login

An issue was discovered in Pidgin before 2.14.9. A remote attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain, allowing the attacker to take over control over the XMPP connection and to obtain user credentials and all communication content. This is similar to CVE-2022-24968.

Affected products Warnungen 0 Metrics 3 CWE 1 References 9

Data is provided by the National Vulnerability Database (NVD)

Pidgin ≫ Pidgin Version < 2.14.9

Debian ≫ Debian Linux Version9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.49%	0.648

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:P/I:N/A:N

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

https://developer.pidgin.im/wiki/FullChangeLog

Vendor Advisory

Release Notes

https://github.com/xsf/xeps/pull/1158

Patch

Third Party Advisory

https://keep.imfreedom.org/pidgin/pidgin/rev/13cdb7956bdc

Patch

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2022/06/msg00005.html

Third Party Advisory

Mailing List

https://mail.jabber.org/pipermail/standards/2022-February/038759.html

Third Party Advisory

Mailing List

https://pidgin.im/about/security/advisories/cve-2022-26491/

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-26491

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-26491

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-26491

EUVD