Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2009-1376 — Improper Handling of Syntactically Invalid Structure in Pidgin
Severity
10.0CRITICALNVD
NVD9.3OSV9.3OSV6.8
EPSS
25.9%
top 3.71%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedMay 26
Latest updateMay 2
Description
Multiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in (1) libpurple/protocols/msn/slplink.c and (2) libpurple/protocols/msnp9/slplink.c in Pidgin (formerly Gaim) before 2.5.6 on 32-bit platforms allow remote attackers to execute arbitrary code via a malformed SLP message with a crafted offset value, leading to buffer overflows. NOTE: this issue exists because of an incomplete fix for CVE-2008-2927.
CVSS vector
AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0
Affected Packages4 packages
Patches
🔴Vulnerability Details
4GHSA▶
GHSA-p33h-j5pj-5f6r: Multiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in (1) libpurple/protocols/msn/slplink↗2022-05-02
GHSA▶
GHSA-gg6v-c4q4-582f: The msn_slplink_process_msg function in libpurple/protocols/msn/slplink↗2022-05-02
OSV
▶
OSV▶
CVE-2009-1376: Multiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in (1) libpurple/protocols/msn/slplink↗2009-05-26