CVE-2010-1155 — Improper Input Validation in Irssi

CWE-20 — Improper Input Validation7 documents6 sources

Severity

6.8MEDIUMNVD

EPSS

0.8%

top 26.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Irssi Debian Irssi

Timeline

PublishedApr 16

Latest updateMay 2

Description

Irssi before 0.8.15, when SSL is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) field or a Subject Alternative Name field of the X.509 certificate, which allows man-in-the-middle attackers to spoof IRC servers via an arbitrary certificate.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages3 packages

▶debiandebian/irssi< irssi 0.8.15-1 (bookworm)

▶Debianirssi/irssi< 0.8.15-1+3

▶NVDirssi/irssi0.8.15+15

Patches

Patch: www.vupen.com ↗Patch: www.vupen.com ↗

🔴Vulnerability Details

GHSA

GHSA-hvgv-8rp6-894g: Irssi before 0↗2022-05-02

▶

OSV

CVE-2010-1155: Irssi before 0↗2010-04-16

▶

📋Vendor Advisories

Ubuntu

irssi regression↗2010-04-20

▶

Ubuntu

irssi vulnerabilities↗2010-04-15

▶

Debian

CVE-2010-1155: irssi - Irssi before 0.8.15, when SSL is used, does not verify that the server hostname ...↗2010

▶

💬Community

Bugzilla

CVE-2010-1155 CVE-2010-1156 irssi 0.8.15 fixes two security issues↗2010-04-12

▶