ID CVE-2008-3532
Summary The NSS plugin in libpurple in Pidgin 2.4.3 does not verify SSL certificates, which makes it easier for remote attackers to trick a user into accepting an invalid server certificate for a spoofed service.
References
Vulnerable Configurations
  • cpe:2.3:a:pidgin:pidgin:2.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.4.3:*:*:*:*:*:*:*
CVSS
Base: 6.8 (as of 29-09-2017 - 01:31)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:P
oval via4
  • accepted 2013-04-29T04:10:25.565-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    • comment The operating system installed on the system is Red Hat Enterprise Linux 5
      oval oval:org.mitre.oval:def:11414
    • comment The operating system installed on the system is CentOS Linux 5.x
      oval oval:org.mitre.oval:def:15802
    • comment Oracle Linux 5.x
      oval oval:org.mitre.oval:def:15459
    description The NSS plugin in libpurple in Pidgin 2.4.3 does not verify SSL certificates, which makes it easier for remote attackers to trick a user into accepting an invalid server certificate for a spoofed service.
    family unix
    id oval:org.mitre.oval:def:10979
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title The NSS plugin in libpurple in Pidgin 2.4.3 does not verify SSL certificates, which makes it easier for remote attackers to trick a user into accepting an invalid server certificate for a spoofed service.
    version 31
  • accepted 2013-09-30T04:01:04.838-04:00
    class vulnerability
    contributors
    name Shane Shaffer
    organization G2, Inc.
    definition_extensions
    comment Pidgin is installed
    oval oval:org.mitre.oval:def:12366
    description The NSS plugin in libpurple in Pidgin 2.4.3 does not verify SSL certificates, which makes it easier for remote attackers to trick a user into accepting an invalid server certificate for a spoofed service.
    family windows
    id oval:org.mitre.oval:def:18327
    status accepted
    submitted 2013-08-16T15:36:10.221-04:00
    title The NSS plugin in libpurple in Pidgin 2.4.3 does not verify SSL certificates, which makes it easier for remote attackers to trick a user into accepting an invalid server certificate for a spoofed service
    version 4
redhat via4
advisories
bugzilla
id 457907
title CVE-2008-3532 pidgin: NSS plugin doesn't verify SSL certificates
oval
OR
  • comment Red Hat Enterprise Linux must be installed
    oval oval:com.redhat.rhba:tst:20070304026
  • AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhba:tst:20070304025
    • OR
      • AND
        • comment finch is earlier than 0:2.5.2-6.el4
          oval oval:com.redhat.rhsa:tst:20081023001
        • comment finch is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20081023002
      • AND
        • comment finch-devel is earlier than 0:2.5.2-6.el4
          oval oval:com.redhat.rhsa:tst:20081023003
        • comment finch-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20081023004
      • AND
        • comment libpurple is earlier than 0:2.5.2-6.el4
          oval oval:com.redhat.rhsa:tst:20081023005
        • comment libpurple is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20081023006
      • AND
        • comment libpurple-devel is earlier than 0:2.5.2-6.el4
          oval oval:com.redhat.rhsa:tst:20081023007
        • comment libpurple-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20081023008
      • AND
        • comment libpurple-perl is earlier than 0:2.5.2-6.el4
          oval oval:com.redhat.rhsa:tst:20081023009
        • comment libpurple-perl is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20081023010
      • AND
        • comment libpurple-tcl is earlier than 0:2.5.2-6.el4
          oval oval:com.redhat.rhsa:tst:20081023011
        • comment libpurple-tcl is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20081023012
      • AND
        • comment pidgin is earlier than 0:2.5.2-6.el4
          oval oval:com.redhat.rhsa:tst:20081023013
        • comment pidgin is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20080584002
      • AND
        • comment pidgin-devel is earlier than 0:2.5.2-6.el4
          oval oval:com.redhat.rhsa:tst:20081023015
        • comment pidgin-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20081023016
      • AND
        • comment pidgin-perl is earlier than 0:2.5.2-6.el4
          oval oval:com.redhat.rhsa:tst:20081023017
        • comment pidgin-perl is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20081023018
  • AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331005
    • OR
      • AND
        • comment finch is earlier than 0:2.5.2-6.el5
          oval oval:com.redhat.rhsa:tst:20081023020
        • comment finch is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080584005
      • AND
        • comment finch-devel is earlier than 0:2.5.2-6.el5
          oval oval:com.redhat.rhsa:tst:20081023022
        • comment finch-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080584007
      • AND
        • comment libpurple is earlier than 0:2.5.2-6.el5
          oval oval:com.redhat.rhsa:tst:20081023024
        • comment libpurple is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080584009
      • AND
        • comment libpurple-devel is earlier than 0:2.5.2-6.el5
          oval oval:com.redhat.rhsa:tst:20081023026
        • comment libpurple-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080584011
      • AND
        • comment libpurple-perl is earlier than 0:2.5.2-6.el5
          oval oval:com.redhat.rhsa:tst:20081023028
        • comment libpurple-perl is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080584013
      • AND
        • comment libpurple-tcl is earlier than 0:2.5.2-6.el5
          oval oval:com.redhat.rhsa:tst:20081023030
        • comment libpurple-tcl is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080584015
      • AND
        • comment pidgin is earlier than 0:2.5.2-6.el5
          oval oval:com.redhat.rhsa:tst:20081023032
        • comment pidgin is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080584017
      • AND
        • comment pidgin-devel is earlier than 0:2.5.2-6.el5
          oval oval:com.redhat.rhsa:tst:20081023034
        • comment pidgin-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080584019
      • AND
        • comment pidgin-perl is earlier than 0:2.5.2-6.el5
          oval oval:com.redhat.rhsa:tst:20081023036
        • comment pidgin-perl is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080584021
rhsa
id RHSA-2008:1023
released 2008-12-15
severity Moderate
title RHSA-2008:1023: pidgin security and bug fix update (Moderate)
rpms
  • finch-0:2.5.2-6.el4
  • finch-0:2.5.2-6.el5
  • finch-devel-0:2.5.2-6.el4
  • finch-devel-0:2.5.2-6.el5
  • libpurple-0:2.5.2-6.el4
  • libpurple-0:2.5.2-6.el5
  • libpurple-devel-0:2.5.2-6.el4
  • libpurple-devel-0:2.5.2-6.el5
  • libpurple-perl-0:2.5.2-6.el4
  • libpurple-perl-0:2.5.2-6.el5
  • libpurple-tcl-0:2.5.2-6.el4
  • libpurple-tcl-0:2.5.2-6.el5
  • pidgin-0:2.5.2-6.el4
  • pidgin-0:2.5.2-6.el5
  • pidgin-debuginfo-0:2.5.2-6.el4
  • pidgin-debuginfo-0:2.5.2-6.el5
  • pidgin-devel-0:2.5.2-6.el4
  • pidgin-devel-0:2.5.2-6.el5
  • pidgin-perl-0:2.5.2-6.el4
  • pidgin-perl-0:2.5.2-6.el5
refmap via4
bid 30553
confirm
mandriva MDVSA-2009:025
misc http://developer.pidgin.im/attachment/ticket/6500/nss-cert-verify.patch
secunia
  • 31390
  • 32859
  • 33102
ubuntu USN-675-1
vupen ADV-2008-2318
xf pidgin-ssl-spoofing(44220)
Last major update 29-09-2017 - 01:31
Published 08-08-2008 - 19:41
Last modified 29-09-2017 - 01:31
Back to Top