Описание
twitch-tui's connection is not encrypted
Summary
The connection is not using TLS for communication
Details
In the configuration of the irc connection, you are disabling tls which makes all communication to twitch irc servers unencrypted.
PoC
You can verify by using tcpdump/wireshark that traffic is unencrypted.
Impact
Communication can be sniffed, even auth tokens.
Ссылки
- https://github.com/Xithrius/twitch-tui/security/advisories/GHSA-779w-xvpm-78jx
- https://nvd.nist.gov/vuln/detail/CVE-2023-38688
- https://github.com/Xithrius/twitch-tui/commit/74d13ddca35f8f0816f4933c229da1fd95c0350a
- https://github.com/Xithrius/twitch-tui/blob/340afc3c8c07a83289fe6ef614aa7563c8b70756/src/twitch/connection.rs#L23
Пакеты
Наименование
twitch-tui
rust
Затронутые версииВерсия исправления
< 2.4.1
2.4.1
Связанные уязвимости
CVSS3: 7.5
nvd
больше 2 лет назад
twitch-tui provides Twitch chat in a terminal. Prior to version 2.4.1, the connection is not using TLS for communication. In the configuration of the irc connection, the software disables TLS, which makes all communication to Twitch IRC servers unencrypted. As a result, communication, including auth tokens, can be sniffed. Version 2.4.1 has a patch for this issue.