CVE-2016-2367Out-of-bounds Read in Pidgin

CWE-125Out-of-bounds ReadCWE-200Sensitive Information Exposure9 documents8 sources
Severity
5.9MEDIUMNVD
EPSS
1.9%
top 16.51%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
PidginDebian PidginCanonical Ubuntu Linux+1 more
Timeline
PublishedJan 6
Latest updateMay 17

Description

An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious user, server, or man-in-the-middle can send an invalid size for an avatar which will trigger an out-of-bounds read vulnerability. This could result in a denial of service or copy data from memory to the file, resulting in an information leak if the avatar is sent to another user.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages4 packages

debiandebian/pidgin< pidgin 2.11.0-1 (bookworm)
Debianpidgin/pidgin< 2.11.0-1+3
NVDpidgin/pidgin2.10.12
CVEListV5pidgin/pidgin2.10.11

Also affects: Debian Linux 8.0, Ubuntu Linux 12.04, 14.04, 15.10

Patches

Patch: www.pidgin.imPatch: www.pidgin.im

🔴Vulnerability Details

2
GHSA
GHSA-cwh8-g5rj-527r: An information leak exists in the handling of the MXIT protocol in Pidgin2022-05-17
OSV
CVE-2016-2367: An information leak exists in the handling of the MXIT protocol in Pidgin2017-01-06

📋Vendor Advisories

3
Ubuntu
Pidgin vulnerabilities2016-07-12
Red Hat
pidgin: MXIT Avatar Length Memory Disclosure Vulnerability2016-06-21
Debian
CVE-2016-2367: pidgin - An information leak exists in the handling of the MXIT protocol in Pidgin. Speci...2016

🕵️Threat Intelligence

2
Talos
Vulnerability Spotlight: Pidgin Vulnerabilities2016-06-21
Talos
Vulnerability Spotlight: Pidgin Vulnerabilities2016-06-21

💬Community

1
Bugzilla
CVE-2016-2367 pidgin: MXIT Avatar Length Memory Disclosure Vulnerability2016-06-22