Vulnerability CVE-2011-1428


Published: 2011-03-16   Modified: 2012-02-13

Description:
Wee Enhanced Environment for Chat (aka WeeChat) 0.3.4 and earlier does not properly verify that the server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof an SSL chat server via an arbitrary certificate, related to incorrect use of the GnuTLS API.

Type:

CWE-20

(Improper Input Validation)

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5.8/10
4.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
None
Affected software
Flashtux -> Weechat 

 References:
http://savannah.nongnu.org/patch/index.php?7459
http://git.savannah.gnu.org/gitweb/?p=weechat.git;a=commit;h=c265cad1c95b84abfd4e8d861f25926ef13b5d91
http://www.securityfocus.com/bid/46612
http://secunia.com/advisories/43543
http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0671.html

Copyright 2024, cxsecurity.com

 

Back to Top