Vulnerability Details : CVE-2009-3026
protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the "require TLS/SSL" preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions.
Products affected by CVE-2009-3026
- cpe:2.3:a:pidgin:pidgin:2.6.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2009-3026
0.44%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 71 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2009-3026
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2009-3026
-
Assigned by: nvd@nist.gov (Primary)
Vendor statements for CVE-2009-3026
-
Red Hat 2009-09-22Red Hat has released updates to correct this issue: https://rhn.redhat.com/errata/RHSA-2009-1453.html
References for CVE-2009-3026
-
http://www.openwall.com/lists/oss-security/2009/08/24/2
oss-security - CVE id request: pidgin
-
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542891
#542891 - libpurple connects without encryption while "require TLS/SSL" is enabled - Debian Bug report logs
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/53000
Pidgin libpurple weak security CVE-2009-3026 Vulnerability Report
-
http://developer.pidgin.im/ticket/8131
SSL/TLS bug due to old servers that don't follow xmpp spec : PIDGIN-8131
-
http://developer.pidgin.im/viewmtn/revision/diff/312e056d702d29379ea61aea9d27765f127bc888/with/55897c4ce0787edc1e7721b7f4a9b5cbc8357279
404 Not FoundPatch
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11070
404 Not Found
-
http://www.securityfocus.com/bid/36368
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5757
404 Not Found
Jump to