CVE-2009-3026 — Pidgin vulnerability

CWE-3107 documents7 sources

Severity

5.0MEDIUMNVD

EPSS

0.5%

top 32.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pidgin Debian Pidgin

Timeline

PublishedAug 31

Latest updateMay 2

Description

protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the "require TLS/SSL" preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/pidgin< pidgin 2.6.1-1 (bookworm)

▶Debianpidgin/pidgin< 2.6.1-1+3

▶NVDpidgin/pidgin2.6.0

Patches

Patch: developer.pidgin.im ↗Patch: developer.pidgin.im ↗

🔴Vulnerability Details

GHSA

GHSA-39qg-c7hm-9wwf: protocols/jabber/auth↗2022-05-02

▶

OSV

CVE-2009-3026: protocols/jabber/auth↗2009-08-31

▶

📋Vendor Advisories

Ubuntu

Pidgin vulnerabilities↗2010-01-18

▶

Red Hat

pidgin: ignores SSL/TLS requirements with old jabber servers↗2009-01-15

▶

Debian

CVE-2009-3026: pidgin - protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other version...↗2009

▶

💬Community

Bugzilla

CVE-2009-3026 pidgin: ignores SSL/TLS requirements with old jabber servers↗2009-08-25

▶