Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2022-28352

Опубликовано: 02 апр. 2022
Источник: debian

Описание

WeeChat (aka Wee Enhanced Environment for Chat) 3.2 to 3.4 before 3.4.1 does not properly verify the TLS certificate of the server, after certain GnuTLS options are changed, which allows man-in-the-middle attackers to spoof a TLS chat server via an arbitrary certificate. NOTE: this only affects situations where weechat.network.gnutls_ca_system or weechat.network.gnutls_ca_user is changed without a WeeChat restart.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
weechatfixed3.4.1-1package
weechatnot-affectedbullseyepackage
weechatnot-affectedbusterpackage
weechatnot-affectedstretchpackage

Примечания

  • https://weechat.org/doc/security/WSA-2022-1/

  • https://github.com/weechat/weechat/issues/1763

  • Fixed by: https://github.com/weechat/weechat/commit/710247891cdfd4e66ee6d1715e93626def6871f1 (v3.4.1)

  • weechat.network.gnutls_ca_system/gnutls_ca_user introduced by: https://github.com/weechat/weechat/commit/c588ee21bc8fd33678893d5c67616033281032e3 (v3.2-rc1)

Связанные уязвимости

ubuntu логотип

CVE-2022-28352

CVSS3: 4.3
ubuntu
почти 4 года назад

WeeChat (aka Wee Enhanced Environment for Chat) 3.2 to 3.4 before 3.4.1 does not properly verify the TLS certificate of the server, after certain GnuTLS options are changed, which allows man-in-the-middle attackers to spoof a TLS chat server via an arbitrary certificate. NOTE: this only affects situations where weechat.network.gnutls_ca_system or weechat.network.gnutls_ca_user is changed without a WeeChat restart.

nvd логотип

CVE-2022-28352

CVSS3: 4.3
nvd
почти 4 года назад

WeeChat (aka Wee Enhanced Environment for Chat) 3.2 to 3.4 before 3.4.1 does not properly verify the TLS certificate of the server, after certain GnuTLS options are changed, which allows man-in-the-middle attackers to spoof a TLS chat server via an arbitrary certificate. NOTE: this only affects situations where weechat.network.gnutls_ca_system or weechat.network.gnutls_ca_user is changed without a WeeChat restart.

github логотип

GHSA-q6x4-wf9q-6g23

CVSS3: 4.8
github
почти 4 года назад

WeeChat (aka Wee Enhanced Environment for Chat) 3.2 to 3.4 before 3.4.1 does not properly verify the TLS certificate of the server, after certain GnuTLS options are changed, which allows man-in-the-middle attackers to spoof a TLS chat server via an arbitrary certificate. NOTE: this only affects situations where weechat.network.gnutls_ca_system or weechat.network.gnutls_ca_user is changed without a WeeChat restart.