Vulnerability Name: | CVE-2010-4528 (CCN-64332) |
Assigned: | 2010-12-26 |
Published: | 2010-12-26 |
Updated: | 2017-09-19 |
Summary: | directconn.c in the MSN protocol plugin in libpurple 2.7.6 through 2.7.8 in Pidgin before 2.7.9 allows remote authenticated users to cause a denial of service (NULL pointer dereference and application crash) via a short p2pv2 packet in a DirectConnect (aka direct connection) session.
|
CVSS v3 Severity: | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)Exploitability Metrics: | Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None | Scope: | Scope (S): Unchanged
| Impact Metrics: | Confidentiality (C): None Integrity (I): None Availibility (A): Low |
|
CVSS v2 Severity: | 4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P) 3.0 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P/E:U/RL:OF/RC:C)Exploitability Metrics: | Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance | Impact Metrics: | Confidentiality (C): None Integrity (I): None Availibility (A): Partial | 5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P) 3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)Exploitability Metrics: | Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
| Impact Metrics: | Confidentiality (C): None Integrity (I): None Availibility (A): Partial |
|
Vulnerability Type: | CWE-20
|
Vulnerability Consequences: | Denial of Service |
References: | Source: MITRE Type: CNA CVE-2010-4528
Source: CONFIRM Type: Patch http://developer.pidgin.im/viewmtn/revision/diff/e76f4ad4ef2f10588195a0eedc7a08f82062f79c/with/aaa07bde3c51d3684391ae6ed86b6dbaeab5d031/libpurple/protocols/msn/directconn.c
Source: CONFIRM Type: Patch http://developer.pidgin.im/viewmtn/revision/info/aaa07bde3c51d3684391ae6ed86b6dbaeab5d031
Source: CCN Type: Pidgin Web site ChangeLog Pidgin Trac
Source: FEDORA Type: UNKNOWN FEDORA-2010-19314
Source: FEDORA Type: UNKNOWN FEDORA-2010-19317
Source: SUSE Type: UNKNOWN SUSE-SR:2011:001
Source: MLIST Type: Patch [support] 20101227 Pidgin 2.7.9 released
Source: CCN Type: SA42732 Pidgin MSN Direct Connection Denial of Service Weakness
Source: SECUNIA Type: Vendor Advisory 42732
Source: SECUNIA Type: Vendor Advisory 42824
Source: SECUNIA Type: UNKNOWN 42877
Source: MANDRIVA Type: UNKNOWN MDVSA-2010:259
Source: MLIST Type: Patch [oss-security] 20101227 CVE Request -- Pidgin v2.7.6 <= x <= v2.7.8 -- MSN DirectConnect DoS (crash due NULL ptr dereference) after receiving a short P2P message
Source: MLIST Type: Patch [oss-security] 20101231 Re: CVE Request -- Pidgin v2.7.6 <= x <= v2.7.8 -- MSN DirectConnect DoS (crash due NULL ptr dereference) after receiving a short P2P message
Source: CCN Type: OSVDB ID: 70162 Pidgin MSN Direct Connection p2pv2 Packet Handling NULL Dereference Remote DoS
Source: CCN Type: Pidgin Security Advisory 2010-12-26 Remotely-triggered denial of service in MSN
Source: CONFIRM Type: Patch, Vendor Advisory http://www.pidgin.im/news/security/?id=49
Source: BID Type: UNKNOWN 45581
Source: CCN Type: BID-45581 Libpurple MSN Short Packets Remote Denial of Service Vulnerability
Source: VUPEN Type: Vendor Advisory ADV-2011-0028
Source: VUPEN Type: UNKNOWN ADV-2011-0054
Source: VUPEN Type: UNKNOWN ADV-2011-0076
Source: CONFIRM Type: UNKNOWN https://bugzilla.redhat.com/show_bug.cgi?id=665421
Source: XF Type: UNKNOWN pidgin-msndirect-dos(64332)
Source: OVAL Type: UNKNOWN oval:org.mitre.oval:def:18461
Source: SUSE Type: SUSE-SR:2011:001 SUSE Security Summary Report
|
Vulnerable Configuration: | Configuration 1: cpe:/a:pidgin:libpurple:2.7.6:*:*:*:*:*:*:*OR cpe:/a:pidgin:libpurple:2.7.7:*:*:*:*:*:*:*OR cpe:/a:pidgin:libpurple:2.7.8:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.0.0:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.0.1:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.0.2:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.1.0:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.1.1:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.2.0:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.2.1:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.2.2:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.3.0:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.3.1:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.4.0:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.4.1:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.4.2:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.4.3:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.5.0:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.5.1:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.5.2:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.5.3:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.5.4:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.5.5:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.5.6:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.5.7:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.5.8:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.5.9:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.6.0:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.6.1:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.6.2:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.6.4:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.6.5:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.6.6:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.7.0:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.7.1:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.7.2:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.7.3:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.7.4:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.7.5:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.7.6:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.7.7:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:*:*:*:*:*:*:*:* (Version <= 2.7.8) Configuration CCN 1: cpe:/a:pidgin:pidgin:2.7.6:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.7.7:*:*:*:*:*:*:*OR cpe:/a:pidgin:pidgin:2.7.8:*:*:*:*:*:*:*
Denotes that component is vulnerable |
Oval Definitions |
Definition ID | Class | Title | Last Modified |
---|
oval:org.opensuse.security:def:20104528 | V | CVE-2010-4528 | 2015-11-16 | oval:org.mitre.oval:def:18461 | V | directconn.c in the MSN protocol plugin in libpurple 2.7.6 through 2.7.8 in Pidgin before 2.7.9 allows remote authenticated users to cause a denial of service (NULL pointer dereference and application crash) via a short p2pv2 packet in a DirectConnect (aka direct connection) session | 2013-09-30 |
|
BACK |