Detections
Analytics

Pidgin < 2.10.10 Multiple Vulnerabilities

medium Nessus Plugin ID 78689

Language:

Synopsis

An instant messaging client installed on the remote Windows host is affected by multiple vulnerabilities.

Description

The version of Pidgin installed on the remote host is a version prior to 2.10.10. It is, therefore, affected by the following vulnerabilities :

 - An error exists in the included libpurple library related the SSL Basic Constraints extension and Certificate Authority (CA) verification that allows intermediate certificates to be trusted as a CA.
 (CVE-2014-3694)

 - An error exists in the included libpurple library related to emoticon handling that allows an attacker to crash the application. (CVE-2014-3695)

 - An error exists in the included libpurple library related to 'Groupwise' message handling and UI memory management that allows an attacker to crash the application. (CVE-2014-3696)

 - An error exists related to handling 'untar' operations on 'smiley themes' that allows arbitrary file overwrites. This issue only affects installs on Microsoft Windows. (CVE-2014-3697)

 - An error exists in the included libpurple library related to handling XMPP messages that allows an attacker to obtain arbitrary memory contents.
 (CVE-2014-3698)

Solution

Upgrade to Pidgin 2.10.10 or later.

See Also

https://developer.pidgin.im/wiki/ChangeLog#version2.10.1010222014

http://pidgin.im/news/security/?id=86

http://pidgin.im/news/security/?id=87

http://pidgin.im/news/security/?id=88

http://pidgin.im/news/security/?id=89

http://pidgin.im/news/security/?id=90

Plugin Details

Severity: Medium

ID: 78689

File Name: pidgin_2_10_10.nasl

Version: 1.3

Type: local

Agent: windows

Family: Windows

Published: 10/27/2014

Updated: 11/25/2019

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.0

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSS Score Source: CVE-2014-3697

Vulnerability Information

CPE: cpe:/a:pidgin:pidgin, cpe:/a:pidgin:libpurple

Required KB Items: SMB/Registry/Enumerated, installed_sw/Pidgin

Exploit Ease: No known exploits are available

Patch Publication Date: 10/22/2014

Vulnerability Publication Date: 10/22/2014

Reference Information

CVE: CVE-2014-3694, CVE-2014-3695, CVE-2014-3696, CVE-2014-3697, CVE-2014-3698

BID: 70701, 70702, 70703, 70704, 70705