CVE-2010-4528 — Improper Input Validation in Pidgin

CWE-20 — Improper Input Validation6 documents6 sources

Severity

4.0MEDIUMNVD

EPSS

2.7%

top 14.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pidgin Debian Pidgin Pidgin Libpurple

Timeline

PublishedJan 7

Latest updateMay 17

Description

directconn.c in the MSN protocol plugin in libpurple 2.7.6 through 2.7.8 in Pidgin before 2.7.9 allows remote authenticated users to cause a denial of service (NULL pointer dereference and application crash) via a short p2pv2 packet in a DirectConnect (aka direct connection) session.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 8.0 | Impact: 2.9

Affected Packages4 packages

▶NVDpidgin/libpurple2.7.6, 2.7.7, 2.7.8+2

▶debiandebian/pidgin< pidgin 2.7.9-1 (bookworm)

▶Debianpidgin/pidgin< 2.7.9-1+3

▶NVDpidgin/pidgin2.7.8+38

Patches

Patch: developer.pidgin.im ↗Patch: developer.pidgin.im ↗Patch: pidgin.im ↗

🔴Vulnerability Details

GHSA

GHSA-jmfm-mjhr-jhgw: directconn↗2022-05-17

▶

OSV

CVE-2010-4528: directconn↗2011-01-07

▶

📋Vendor Advisories

Red Hat

Pidgin: MSN DirectConnect DoS (crash) after receiving a short P2P message↗2010-12-26

▶

Debian

CVE-2010-4528: pidgin - directconn.c in the MSN protocol plugin in libpurple 2.7.6 through 2.7.8 in Pidg...↗2010

▶

💬Community

Bugzilla

CVE-2010-4528 Pidgin: MSN DirectConnect DoS (crash) after receiving a short P2P message↗2010-12-23

▶