CVE-2014-3694

Опубликовано: 22 окт. 2014

Источник: redhat

CVSS3: 3.1

CVSS2: 2.6

Описание

The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

It was found that Pidgin's SSL/TLS plug-ins had a flaw in the certificate validation functionality. An attacker could use this flaw to create a fake certificate, that Pidgin would trust, which could be used to conduct man-in-the-middle attacks against Pidgin.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux 5	pidgin	Will not fix
Red Hat Enterprise Linux 6	pidgin	Will not fix
Red Hat Enterprise Linux 7	pidgin	Fixed	RHSA-2017:1854	01.08.2017

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low

Дефект:

CWE-295

https://bugzilla.redhat.com/show_bug.cgi?id=1154908pidgin: SSL/TLS plug-ins failed to check Basic Constraints

3.1 Low

CVSS3

2.6 Low

CVSS2

Связанные уязвимости

CVE-2014-3694

ubuntu

около 11 лет назад

CVE-2014-3694

nvd

около 11 лет назад

CVE-2014-3694

debian

около 11 лет назад

The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/ ...

GHSA-qfvv-4jjj-6cq2

github

больше 3 лет назад

ELSA-2017-1854

oracle-oval

больше 8 лет назад

ELSA-2017-1854: pidgin security, bug fix, and enhancement update (MODERATE)

3.1 Low

CVSS3

2.6 Low

CVSS2