Lucene search

[email protected]CVE-2009-3026

HistoryAug 31, 2009 - 8:30 p.m.

CVE-2009-3026

2009-08-3120:30:01

CWE-310

[email protected]

web.nvd.nist.gov

cve-2009-3026

libpurple

pidgin

tls

ssl

jabber

xmpp

encryption

remote attack

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.3 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

75.0%

JSON

protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the “require TLS/SSL” preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions.

Affected configurations

NVD

Node

pidginpidginMatch2.6.0

CPENameOperatorVersion
pidgin:pidginpidgineq2.6.0

CPE	Name	Operator	Version
pidgin:pidgin	pidgin	eq	2.6.0

References

bugs.debian.org/cgi-bin/bugreport.cgi?bug=542891

developer.pidgin.im/ticket/8131

developer.pidgin.im/viewmtn/revision/diff/312e056d702d29379ea61aea9d27765f127bc888/with/55897c4ce0787edc1e7721b7f4a9b5cbc8357279

secunia.com/advisories/37071

www.openwall.com/lists/oss-security/2009/08/24/2

www.securityfocus.com/bid/36368

exchange.xforce.ibmcloud.com/vulnerabilities/53000

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11070

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5757

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.3 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

75.0%

JSON

Related for CVE-2009-3026

ubuntucve1 debiancve1 veracode1 cvelist1 nvd1 prion1 openvas22 nessus19 securityvulns2 gentoo1 redhat1 centos1 oraclelinux1 ubuntu1