CVE-2022-28352 — Improper Certificate Validation in Weechat

CWE-295 — Improper Certificate Validation4 documents4 sources

Severity

4.8MEDIUMNVD

EPSS

0.2%

top 55.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Weechat Debian Weechat

Timeline

PublishedApr 2

Latest updateApr 3

Description

WeeChat (aka Wee Enhanced Environment for Chat) 3.2 to 3.4 before 3.4.1 does not properly verify the TLS certificate of the server, after certain GnuTLS options are changed, which allows man-in-the-middle attackers to spoof a TLS chat server via an arbitrary certificate. NOTE: this only affects situations where weechat.network.gnutls_ca_system or weechat.network.gnutls_ca_user is changed without a WeeChat restart.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 2.2 | Impact: 2.5

Affected Packages3 packages

▶debiandebian/weechat< weechat 3.4.1-1 (bookworm)

▶NVDweechat/weechat3.2 — 3.4.1

▶Debianweechat/weechat< 3.4.1-1+2

🔴Vulnerability Details

GHSA

GHSA-q6x4-wf9q-6g23: WeeChat (aka Wee Enhanced Environment for Chat) 3↗2022-04-03

▶

OSV

CVE-2022-28352: WeeChat (aka Wee Enhanced Environment for Chat) 3↗2022-04-02

▶

📋Vendor Advisories

Debian

CVE-2022-28352: weechat - WeeChat (aka Wee Enhanced Environment for Chat) 3.2 to 3.4 before 3.4.1 does not...↗2022

▶