Lucene search

[email protected]NVD:CVE-2023-38688

HistoryAug 04, 2023 - 5:15 p.m.

CVE-2023-38688

2023-08-0417:15:10

CWE-311

[email protected]

web.nvd.nist.gov

twitch-tui

insecure communication

tls disabling

irc

auth tokens

sniffing

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

47.8%

JSON

twitch-tui provides Twitch chat in a terminal. Prior to version 2.4.1, the connection is not using TLS for communication. In the configuration of the irc connection, the software disables TLS, which makes all communication to Twitch IRC servers unencrypted. As a result, communication, including auth tokens, can be sniffed. Version 2.4.1 has a patch for this issue.

Affected configurations

Nvd

Node

xithriustwitch-tuiRange≤2.4.0rust

VendorProductVersionCPE
xithriustwitch-tui*cpe:2.3:a:xithrius:twitch-tui:*:*:*:*:*:rust:*:*

Vendor	Product	Version	CPE
xithrius	twitch-tui	*	cpe:2.3:a:xithrius:twitch-tui::::::rust::*

References

github.com/Xithrius/twitch-tui/blob/340afc3c8c07a83289fe6ef614aa7563c8b70756/src/twitch/connection.rs#L23

github.com/Xithrius/twitch-tui/commit/74d13ddca35f8f0816f4933c229da1fd95c0350a

github.com/Xithrius/twitch-tui/security/advisories/GHSA-779w-xvpm-78jx

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

47.8%

JSON

Related for NVD:CVE-2023-38688

osv2 cve1 prion1 cvelist1 github1