CVE-2014-3694Improper Certificate Validation in Pidgin

CWE-310CWE-295Improper Certificate Validation9 documents7 sources
Severity
6.4MEDIUMNVD
EPSS
1.3%
top 20.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
PidginDebian PidginCanonical Ubuntu Linux+2 more
Timeline
PublishedOct 29
Latest updateMay 14

Description

The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVSS vector

AV:N/AC:L/C:P/I:P/A:NExploitability: 10.0 | Impact: 4.9

Affected Packages5 packages

debiandebian/pidgin< pidgin 2.10.10-1 (bookworm)
Debianpidgin/pidgin< 2.10.10-1+3
Ubuntupidgin/pidgin< 1:2.10.9-0ubuntu3.2
NVDpidgin/pidgin2.10.9+9
NVDopensuse/opensuse12.3, 13.1, 13.2+2

Also affects: Debian Linux 7.0, Ubuntu Linux 12.04, 14.04, 14.10

Patches

Patch: pidgin.imPatch: pidgin.im

🔴Vulnerability Details

3
GHSA
GHSA-qfvv-4jjj-6cq2: The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 22022-05-14
OSV
CVE-2014-3694: The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 22014-10-29
OSV
pidgin vulnerabilities2014-10-28

📋Vendor Advisories

3
Ubuntu
Pidgin vulnerabilities2014-10-28
Red Hat
pidgin: SSL/TLS plug-ins failed to check Basic Constraints2014-10-22
Debian
CVE-2014-3694: pidgin - The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin...2014

💬Community

2
Bugzilla
CVE-2014-3694 CVE-2014-3695 CVE-2014-3696 CVE-2014-3698 pidgin: various flaws [fedora-all]2014-10-23
Bugzilla
CVE-2014-3694 pidgin: SSL/TLS plug-ins failed to check Basic Constraints2014-10-21