CVE-2009-3026 - protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow t

CVE-2009-3026

Summary

protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the "require TLS/SSL" preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions.

References

Vulnerable Configurations

cpe:2.3:a:pidgin:pidgin:2.6.0:*:*:*:*:*:*:*
cpe:2.3:a:pidgin:pidgin:2.6.0:*:*:*:*:*:*:*

CVSS

Base:	5.0 (as of 19-09-2017 - 01:29)
Impact:
Exploitability:

CWE

CWE-310

CAPEC

Signature Spoofing by Key Recreation
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:N/A:N

oval via4

accepted

2013-04-29T04:11:16.436-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 4
oval oval:org.mitre.oval:def:11831
comment CentOS Linux 4.x
oval oval:org.mitre.oval:def:16636
comment Oracle Linux 4.x
oval oval:org.mitre.oval:def:15990
comment The operating system installed on the system is Red Hat Enterprise Linux 5
oval oval:org.mitre.oval:def:11414
comment The operating system installed on the system is CentOS Linux 5.x
oval oval:org.mitre.oval:def:15802
comment Oracle Linux 5.x
oval oval:org.mitre.oval:def:15459

description

family

unix

oval:org.mitre.oval:def:11070

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

version

accepted

2013-09-09T04:03:41.776-04:00

class

vulnerability

contributors

name Chandan S
organization SecPod Technologies
name Shane Shaffer
organization G2, Inc.

definition_extensions

comment	Pidgin is installed
oval	oval:org.mitre.oval:def:12366

description

family

windows

oval:org.mitre.oval:def:5757

status

accepted

submitted

2009-09-24T03:13:11

title

Pidgin 2.6.0 and prior does not follow the require TLS/SSL preference

version

redhat via4

rpms

finch-0:2.6.2-2.el4
finch-0:2.6.2-2.el5
finch-devel-0:2.6.2-2.el4
finch-devel-0:2.6.2-2.el5
libpurple-0:2.6.2-2.el4
libpurple-0:2.6.2-2.el5
libpurple-devel-0:2.6.2-2.el4
libpurple-devel-0:2.6.2-2.el5
libpurple-perl-0:2.6.2-2.el4
libpurple-perl-0:2.6.2-2.el5
libpurple-tcl-0:2.6.2-2.el4
libpurple-tcl-0:2.6.2-2.el5
pidgin-0:2.6.2-2.el4
pidgin-0:2.6.2-2.el5
pidgin-debuginfo-0:2.6.2-2.el4
pidgin-debuginfo-0:2.6.2-2.el5
pidgin-devel-0:2.6.2-2.el4
pidgin-devel-0:2.6.2-2.el5
pidgin-perl-0:2.6.2-2.el4
pidgin-perl-0:2.6.2-2.el5

refmap via4

bid	36368
confirm	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542891 http://developer.pidgin.im/ticket/8131 http://developer.pidgin.im/viewmtn/revision/diff/312e056d702d29379ea61aea9d27765f127bc888/with/55897c4ce0787edc1e7721b7f4a9b5cbc8357279
mlist	[oss-security] 20090824 CVE id request: pidgin
secunia	37071
xf	pidgin-libpurple-weak-security(53000)

statements via4

contributor	Mark J Cox
lastmodified	2009-09-22
organization	Red Hat
statement	Red Hat has released updates to correct this issue: https://rhn.redhat.com/errata/RHSA-2009-1453.html

Last major update

19-09-2017 - 01:29

Published

31-08-2009 - 20:30

Last modified

19-09-2017 - 01:29