CVE-2009-3026

high

Description

protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the "require TLS/SSL" preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions.

References

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5757

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11070

https://exchange.xforce.ibmcloud.com/vulnerabilities/53000

http://www.securityfocus.com/bid/36368

http://www.openwall.com/lists/oss-security/2009/08/24/2

http://secunia.com/advisories/37071

http://developer.pidgin.im/viewmtn/revision/diff/312e056d702d29379ea61aea9d27765f127bc888/with/55897c4ce0787edc1e7721b7f4a9b5cbc8357279

http://developer.pidgin.im/ticket/8131

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542891

Details

Source: Mitre, NVD

Published: 2009-08-31

Updated: 2017-09-19

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High