Vulnerability Details : CVE-2009-3026
protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the "require TLS/SSL" preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions.
Exploit prediction scoring system (EPSS) score for CVE-2009-3026
Probability of exploitation activity in the next 30 days: 0.44%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 71 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2009-3026
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
[email protected] |
CWE ids for CVE-2009-3026
-
Assigned by: [email protected] (Primary)
Vendor statements for CVE-2009-3026
-
Red Hat 2009-09-22Red Hat has released updates to correct this issue: https://rhn.redhat.com/errata/RHSA-2009-1453.html
-
http://www.openwall.com/lists/oss-security/2009/08/24/2
-
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542891
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/53000
-
http://developer.pidgin.im/ticket/8131
-
http://developer.pidgin.im/viewmtn/revision/diff/312e056d702d29379ea61aea9d27765f127bc888/with/55897c4ce0787edc1e7721b7f4a9b5cbc8357279
Patch
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11070
-
http://www.securityfocus.com/bid/36368
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5757
- cpe:2.3:a:pidgin:pidgin:2.6.0:*:*:*:*:*:*:*