ID CVE-2016-10376
Summary Gajim through 0.16.7 unconditionally implements the "XEP-0146: Remote Controlling Clients" extension. This can be abused by malicious XMPP servers to, for example, extract plaintext from OTR encrypted sessions.
References
Vulnerable Configurations
  • Gajim 0.16.7
    cpe:2.3:a:gajim:gajim:0.16.7
CVSS
Base: 3.5
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-3C561780C8.NASL
    description Gajim 0.16.8 - Fix rejoining MUCs after connection loss - Fix Groupchat invites - Fix encoding problems with newer GnuPG versions - Fix old messages randomly reappearing in the chat window - Fix some problems with IBB filetransfer - Make XEP-0146 Commands opt-in - Improve sending messages to your own resources - Improve reliability of delivery recipes - Many minor bugfixes Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-01
    plugin id 100821
    published 2017-06-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100821
    title Fedora 25 : gajim (2017-3c561780c8)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201707-14.NASL
    description The remote host is affected by the vulnerability described in GLSA-201707-14 (Gajim: Information disclosure) Gajim unconditionally implements the “XEP-0146: Remote Controlling Clients” extension. Impact : Remote attackers, by enticing a user to connect to a malicious XMPP server, could extract plaintext from Off The Record (OTR) encrypted sessions. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 101345
    published 2017-07-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101345
    title GLSA-201707-14 : Gajim: Information disclosure
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-E6DEEC5BD0.NASL
    description Gajim 0.16.8 - Fix rejoining MUCs after connection loss - Fix Groupchat invites - Fix encoding problems with newer GnuPG versions - Fix old messages randomly reappearing in the chat window - Fix some problems with IBB filetransfer - Make XEP-0146 Commands opt-in - Improve sending messages to your own resources - Improve reliability of delivery recipes - Many minor bugfixes Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-02
    plugin id 101739
    published 2017-07-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101739
    title Fedora 26 : gajim (2017-e6deec5bd0)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-665.NASL
    description This update for gajim fixes the following issues : - CVE-2016-10376: XEP-0146 extension can be abused by malicious XMPP servers (boo#1041163). - Update to version 0.16.7 : - Better compatibility with XEP-0191: Blocking Command. - Gajim now depends on python-gnupg for PGP encryption. - Remove usage of demandimport. - Many minor bugfixes. - Move python-farstream-0_1 to Suggests. - Correct the licence to GPL-3.0.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 100710
    published 2017-06-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100710
    title openSUSE Security Update : gajim (openSUSE-2017-665)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3943.NASL
    description Gajim, a GTK+-based XMPP/Jabber client, unconditionally implements the 'XEP-0146: Remote Controlling Clients' extension, allowing a malicious XMPP server to trigger commands to leak private conversations from encrypted sessions. With this update XEP-0146 support has been disabled by default and made opt-in via the 'remote_commands' option.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 102483
    published 2017-08-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102483
    title Debian DSA-3943-1 : gajim - security update
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-967.NASL
    description Gajim implements XEP-0146, an XMPP extension to run commands remotely from another client. However it was found that malicious servers can trigger commands, which could lead to leaking private conversations from encrypted sessions. To solve this, XEP-0146 support has been disabled by default. For Debian 7 'Wheezy', these problems have been fixed in version 0.15.1-4.1+deb7u3. We recommend that you upgrade your gajim packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-10
    plugin id 100516
    published 2017-05-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100516
    title Debian DLA-967-1 : gajim security update
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-62547837BA.NASL
    description Gajim 0.16.8 - Fix rejoining MUCs after connection loss - Fix Groupchat invites - Fix encoding problems with newer GnuPG versions - Fix old messages randomly reappearing in the chat window - Fix some problems with IBB filetransfer - Make XEP-0146 Commands opt-in - Improve sending messages to your own resources - Improve reliability of delivery recipes - Many minor bugfixes Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-01
    plugin id 100822
    published 2017-06-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100822
    title Fedora 24 : gajim (2017-62547837ba)
refmap via4
debian DSA-3943
gentoo GLSA-201707-14
misc
Last major update 27-05-2017 - 20:29
Published 27-05-2017 - 20:29
Last modified 05-11-2017 - 21:29
Back to Top