Vulnerability Name:

CVE-2011-4922 (CCN-65338)

Assigned:2011-02-10
Published:2011-02-10
Updated:2017-09-19
Summary:cipher.c in the Cipher API in libpurple in Pidgin before 2.7.10 retains encryption-key data in process memory, which might allow local users to obtain sensitive information by reading a core file or other representation of memory contents.
CVSS v3 Severity:4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)
1.6 Low (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
2.1 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)
1.6 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
1.2 Low (REDHAT CVSS v2 Vector: AV:L/AC:H/Au:N/C:P/I:N/A:N)
0.9 Low (REDHAT Temporal CVSS v2 Vector: AV:L/AC:H/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): High
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-200
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2011-4922

Source: CONFIRM
Type: Exploit, Patch
http://hg.pidgin.im/pidgin/main/rev/8c850977cb42

Source: MLIST
Type: UNKNOWN
[oss-security] 20120104 Re: CVE request: Pidgin

Source: CCN
Type: RHSA-2011-0616
Low: pidgin security and bug fix update

Source: CCN
Type: SA43271
Pidgin Cipher API Information Disclosure Security Issue

Source: CCN
Type: OSVDB ID: 72798
Pidgin Cipher API libpurple/cipher.c Multiple Function Sensitive Structure Local Memory Disclosure

Source: CCN
Type: Pidgin Security Advisory 2011-02-06
Cipher API information disclosure

Source: CONFIRM
Type: Vendor Advisory
http://www.pidgin.im/news/security/?id=50

Source: CCN
Type: BID-46307
Pidgin 'Libpurple' Cipher API Information Disclosure Vulnerability

Source: XF
Type: UNKNOWN
pidgin-libpurple-info-disc(65338)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:18223

Vulnerable Configuration:Configuration 1:
  • cpe:/a:pidgin:pidgin:2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.4.3:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.5.2:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.5.3:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.5.4:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.5.5:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.5.6:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.5.7:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.5.8:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.5.9:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.6.2:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.6.4:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.6.5:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.6.6:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.7.0:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.7.1:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.7.2:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.7.3:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.7.4:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.7.5:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.7.6:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.7.7:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.7.8:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:*:*:*:*:*:*:*:* (Version <= 2.7.9)
  • OR cpe:/a:pidgin:pidgin:2.10.0:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.10.1:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.10.2:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.10.3:*:*:*:*:*:*:*
  • OR cpe:/a:pidgin:pidgin:2.10.4:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:6::client:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:6::server:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:6::workstation:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:pidgin:pidgin:2.7.9:*:*:*:*:*:*:*
  • AND
  • cpe:/o:redhat:enterprise_linux:6:*:server:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:6:*:workstation:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_desktop:6:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:17715
    P
    		USN-1500-1 -- pidgin vulnerabilities
    2014-06-30
    oval:org.mitre.oval:def:23572
    P
    		ELSA-2011:0616: pidgin security and bug fix update (Low)
    2014-05-26
    oval:org.mitre.oval:def:21072
    P
    		RHSA-2011:0616: pidgin security and bug fix update (Low)
    2014-02-24
    oval:org.mitre.oval:def:18223
    V
    		cipher.c in the Cipher API in libpurple in Pidgin before 2.7.10 retains encryption-key data in process memory, which might allow local users to obtain sensitive information by reading a core file or other representation of memory contents
    2013-09-30
    oval:com.ubuntu.precise:def:20114922000
    V
    		CVE-2011-4922 on Ubuntu 12.04 LTS (precise) - low.
    2012-08-08
    oval:com.redhat.rhsa:def:20110616
    P
    		RHSA-2011:0616: pidgin security and bug fix update (Low)
    2011-05-19
    BACK
    pidgin pidgin 2.0.0
    pidgin pidgin 2.0.1
    pidgin pidgin 2.0.2
    pidgin pidgin 2.1.0
    pidgin pidgin 2.1.1
    pidgin pidgin 2.2.0
    pidgin pidgin 2.2.1
    pidgin pidgin 2.2.2
    pidgin pidgin 2.3.0
    pidgin pidgin 2.3.1
    pidgin pidgin 2.4.0
    pidgin pidgin 2.4.1
    pidgin pidgin 2.4.2
    pidgin pidgin 2.4.3
    pidgin pidgin 2.5.0
    pidgin pidgin 2.5.1
    pidgin pidgin 2.5.2
    pidgin pidgin 2.5.3
    pidgin pidgin 2.5.4
    pidgin pidgin 2.5.5
    pidgin pidgin 2.5.6
    pidgin pidgin 2.5.7
    pidgin pidgin 2.5.8
    pidgin pidgin 2.5.9
    pidgin pidgin 2.6.0
    pidgin pidgin 2.6.1
    pidgin pidgin 2.6.2
    pidgin pidgin 2.6.4
    pidgin pidgin 2.6.5
    pidgin pidgin 2.6.6
    pidgin pidgin 2.7.0
    pidgin pidgin 2.7.1
    pidgin pidgin 2.7.2
    pidgin pidgin 2.7.3
    pidgin pidgin 2.7.4
    pidgin pidgin 2.7.5
    pidgin pidgin 2.7.6
    pidgin pidgin 2.7.7
    pidgin pidgin 2.7.8
    pidgin pidgin *
    pidgin pidgin 2.10.0
    pidgin pidgin 2.10.1
    pidgin pidgin 2.10.2
    pidgin pidgin 2.10.3
    pidgin pidgin 2.10.4
    pidgin pidgin 2.7.9
    redhat enterprise linux 6
    redhat enterprise linux 6
    redhat enterprise linux desktop 6