CVE-2022-26491 — Improper Certificate Validation in Pidgin

CWE-295 — Improper Certificate Validation CWE-924 — Improper Enforcement of Message Integrity During Transmission in a Communication Channel5 documents5 sources

Severity

5.9MEDIUMNVD

EPSS

1.2%

top 21.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pidgin Debian Pidgin Debian Linux

Timeline

PublishedJun 2

Latest updateJun 3

Description

An issue was discovered in Pidgin before 2.14.9. A remote attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain, allowing the attacker to take over control over the XMPP connection and to obtain user credentials and all communication content. This is similar to CVE-2022-24968.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

▶NVDpidgin/pidgin< 2.14.9

▶debiandebian/pidgin< pidgin 2.14.9-1 (bookworm)

▶Debianpidgin/pidgin< 2.14.9-1+2

Also affects: Debian Linux 9.0

Patches

Patch: github.com ↗Patch: keep.imfreedom.org ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-4hw8-r3fw-2q2x: An issue was discovered in Pidgin before 2↗2022-06-03

▶

OSV

CVE-2022-26491: An issue was discovered in Pidgin before 2↗2022-06-02

▶

📋Vendor Advisories

Red Hat

pidgin: MITM attack possible on non-DNSSEC XMPP connections↗2022-04-29

▶

Debian

CVE-2022-26491: pidgin - An issue was discovered in Pidgin before 2.14.9. A remote attacker who can spoof...↗2022

▶