CVE-2022-26491

CVE Database · CVE-2022-26491

CVE-2022-26491

· MEDIUMModified

CVSS v3.1

5.9

EPSS

2.42%

Published

Jun 2, 2022

Modified

Nov 21, 2024

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

An issue was discovered in Pidgin before 2.14.9. A remote attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain, allowing the attacker to take over control over the XMPP connection and to obtain user credentials and all communication content. This is similar to CVE-2022-24968.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Weaknesses (CWE)

CWE-295

Affected Products (2)

pidgin · pidgin (up to 2.14.9)vulnerable

debian · debian_linuxvulnerable

References (12)

https://developer.pidgin.im/wiki/FullChangeLog

Release NotesVendor Advisory

https://github.com/xsf/xeps/pull/1158

PatchThird Party Advisory