ID CVE-2009-3026
Summary protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the "require TLS/SSL" preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions.
References
Vulnerable Configurations
  • cpe:2.3:a:pidgin:pidgin:2.6.0:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.6.0:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 19-09-2017 - 01:29)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:N/A:N
oval via4
  • accepted 2013-04-29T04:11:16.436-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    • comment The operating system installed on the system is Red Hat Enterprise Linux 5
      oval oval:org.mitre.oval:def:11414
    • comment The operating system installed on the system is CentOS Linux 5.x
      oval oval:org.mitre.oval:def:15802
    • comment Oracle Linux 5.x
      oval oval:org.mitre.oval:def:15459
    description protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the "require TLS/SSL" preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions.
    family unix
    id oval:org.mitre.oval:def:11070
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the "require TLS/SSL" preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions.
    version 24
  • accepted 2013-09-09T04:03:41.776-04:00
    class vulnerability
    contributors
    • name Chandan S
      organization SecPod Technologies
    • name Shane Shaffer
      organization G2, Inc.
    definition_extensions
    comment Pidgin is installed
    oval oval:org.mitre.oval:def:12366
    description protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the "require TLS/SSL" preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions.
    family windows
    id oval:org.mitre.oval:def:5757
    status accepted
    submitted 2009-09-24T03:13:11
    title Pidgin 2.6.0 and prior does not follow the require TLS/SSL preference
    version 4
redhat via4
rpms
  • finch-0:2.6.2-2.el4
  • finch-devel-0:2.6.2-2.el4
  • libpurple-0:2.6.2-2.el4
  • libpurple-devel-0:2.6.2-2.el4
  • libpurple-perl-0:2.6.2-2.el4
  • libpurple-tcl-0:2.6.2-2.el4
  • pidgin-0:2.6.2-2.el4
  • pidgin-devel-0:2.6.2-2.el4
  • pidgin-perl-0:2.6.2-2.el4
  • finch-0:2.6.2-2.el5
  • finch-devel-0:2.6.2-2.el5
  • libpurple-0:2.6.2-2.el5
  • libpurple-devel-0:2.6.2-2.el5
  • libpurple-perl-0:2.6.2-2.el5
  • libpurple-tcl-0:2.6.2-2.el5
  • pidgin-0:2.6.2-2.el5
  • pidgin-devel-0:2.6.2-2.el5
  • pidgin-perl-0:2.6.2-2.el5
refmap via4
bid 36368
confirm
mlist [oss-security] 20090824 CVE id request: pidgin
secunia 37071
xf pidgin-libpurple-weak-security(53000)
statements via4
contributor Mark J Cox
lastmodified 2009-09-22
organization Red Hat
statement Red Hat has released updates to correct this issue: https://rhn.redhat.com/errata/RHSA-2009-1453.html
Last major update 19-09-2017 - 01:29
Published 31-08-2009 - 20:30
Back to Top