Vulnerability CVE-2022-26491

Vulnerability Name:

CVE-2022-26491 (CCN-227586)

Assigned:

2022-03-08

Published:

2022-03-08

Updated:

2022-06-09

Summary:

An issue was discovered in Pidgin before 2.14.9. A remote attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain, allowing the attacker to take over control over the XMPP connection and to obtain user credentials and all communication content. This is similar to CVE-2022-24968.

CVSS v3 Severity:

5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

7.4 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
6.4 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

7.1 High (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): None

Vulnerability Type:

CWE-295

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2022-26491

Source: MISC
Type: Release Notes, Vendor Advisory
https://developer.pidgin.im/wiki/FullChangeLog

Source: XF
Type: UNKNOWN
pidgin-cve202226491-mitm(227586)

Source: CCN
Type: GitHub Web site
Remove _xmppconnect DNS method from XEP-0156 and add warnings #1158

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/xsf/xeps/pull/1158

Source: MISC
Type: Patch, Third Party Advisory
https://keep.imfreedom.org/pidgin/pidgin/rev/13cdb7956bdc

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20220606 [SECURITY] [DLA 3043-1] pidgin security update

Source: MISC
Type: Mailing List, Third Party Advisory
https://mail.jabber.org/pipermail/standards/2022-February/038759.html

Source: CCN
Type: Pidgin Web site
Pidgin

Source: MISC
Type: Vendor Advisory
https://pidgin.im/about/security/advisories/cve-2022-26491/

Source: CCN
Type: Pidgin GIT Repository
Pidgin IM

Vulnerable Configuration:

Configuration 1:

cpe:/a:pidgin:pidgin:*:*:*:*:*:*:*:* (Version < 2.14.9)

Configuration 2:

cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:pidgin:pidgin:2.0.2:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.4.1:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.4.2:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.0.0:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.0.1:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.1.0:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.1.1:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.2.0:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.2.1:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.2.2:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.3.0:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.3.1:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.4.0:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.4.3:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.5.5:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.5.6:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.5.7:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.5.8:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.5.9:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.6.0:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.6.1:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.6.2:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.6.4:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.6.5:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.6.6:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.7.0:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.7.1:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.7.2:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.7.3:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.7.4:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.7.5:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.7.6:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.7.7:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.7.8:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.7.9:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.10.0:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.5.0:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.5.1:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.5.2:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.5.3:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.5.4:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.10.6:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.10.1:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.10.2:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.10.3:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.10.4:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.10.5:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.10.8:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.10.7:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.9.0:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.8.0:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.7.11:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.7.10:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.6.3:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.10.11:*:*:*:*:*:*:*

OR cpe:/a:pidgin:pidgin:2.13.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:3734	P	p7zip-9.20.1-7.3.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3788	P	socat-1.7.2.4-3.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:95364	P	Security update for pidgin (Important)	2022-05-17
oval:org.opensuse.security:def:95421	P	Security update for pidgin (Important)	2022-05-17
oval:org.opensuse.security:def:6330	P	Security update for pidgin (Important)	2022-05-16
oval:org.opensuse.security:def:1513	P	Security update for pidgin (Important)	2022-05-16
oval:org.opensuse.security:def:477	P	Security update for pidgin (Important)	2022-05-16
oval:org.opensuse.security:def:1802	P	Security update for pidgin (Important)	2022-05-16
oval:org.opensuse.security:def:5237	P	Security update for pidgin (Important)	2022-05-16

BACK