CVE-2017-5591Improper Input Validation in Project Sleekxmpp

CWE-20Improper Input ValidationCWE-346Origin Validation ErrorCWE-940Improper Verification of Source of a Communication Channel7 documents5 sources
Severity
5.9MEDIUMNVD
EPSS
0.5%
top 36.06%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Sleekxmpp Project SleekxmppSlixmpp Project SlixmppDebian Sleekxmpp+2 more
Timeline
PublishedFeb 9
Latest updateMay 13

Description

An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for SleekXMPP up to 1.3.1 and Slixmpp all versions up to 1.2.3, as bundled in poezio (0.8 - 0.10) and other products.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages9 packages

debiandebian/slixmpp< sleekxmpp 1.3.1-6 (bullseye)
debiandebian/sleekxmpp< sleekxmpp 1.3.1-6 (bullseye)
Debianslixmpp_project/slixmpp< 1.2.2-1.1+3

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
SleekXMPP and Slixmpp Incorrect Implementation of Message Carbons2022-05-13
OSV
SleekXMPP and Slixmpp Incorrect Implementation of Message Carbons2022-05-13
OSV
CVE-2017-5591: An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contac2017-02-09

📋Vendor Advisories

1
Debian
CVE-2017-5591: sleekxmpp - An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clie...2017

💬Community

2
Bugzilla
CVE-2017-5591 python-sleekxmpp: User impersonation vulnerability [fedora-all]2017-02-10
Bugzilla
CVE-2017-5591 python-sleekxmpp: User impersonation vulnerability2017-02-10