CVE-2022-26491

An issue was discovered in Pidgin before 2.14.9. A remote attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain, allowing the attacker to take over control over the XMPP connection and to obtain user credentials and all communication content. This is similar to CVE-2022-24968.
Configurations

Configuration 1 (hide)

cpe:2.3:a:pidgin:pidgin:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

History

09 Jun 2022, 19:01

Type Values Removed Values Added
CWE CWE-295
References (MLIST) https://lists.debian.org/debian-lts-announce/2022/06/msg00005.html - (MLIST) https://lists.debian.org/debian-lts-announce/2022/06/msg00005.html - Mailing List, Third Party Advisory
References (MISC) https://pidgin.im/about/security/advisories/cve-2022-26491/ - (MISC) https://pidgin.im/about/security/advisories/cve-2022-26491/ - Vendor Advisory
References (MISC) https://github.com/xsf/xeps/pull/1158 - (MISC) https://github.com/xsf/xeps/pull/1158 - Patch, Third Party Advisory
References (MISC) https://mail.jabber.org/pipermail/standards/2022-February/038759.html - (MISC) https://mail.jabber.org/pipermail/standards/2022-February/038759.html - Mailing List, Third Party Advisory
References (MISC) https://developer.pidgin.im/wiki/FullChangeLog - (MISC) https://developer.pidgin.im/wiki/FullChangeLog - Release Notes, Vendor Advisory
References (MISC) https://keep.imfreedom.org/pidgin/pidgin/rev/13cdb7956bdc - (MISC) https://keep.imfreedom.org/pidgin/pidgin/rev/13cdb7956bdc - Patch, Third Party Advisory
CPE cpe:2.3:a:pidgin:pidgin:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
First Time Pidgin pidgin
Debian debian Linux
Debian
Pidgin
CVSS v2 : unknown
v3 : unknown
v2 : 4.3
v3 : 5.9

06 Jun 2022, 14:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2022/06/msg00005.html -

02 Jun 2022, 14:53

Type Values Removed Values Added
New CVE

Information

Published : 2022-06-02 14:15

Updated : 2023-12-10 14:22


NVD link : CVE-2022-26491

Mitre link : CVE-2022-26491

CVE.ORG link : CVE-2022-26491


JSON object : View

Products Affected

debian

  • debian_linux

pidgin

  • pidgin
CWE
CWE-295

Improper Certificate Validation