QwikSec

Security Database

CVE

CWE

Training

CVE-2022-26491

Published: May 31, 2022

Modified: Aug 3, 2024

PUBLISHED

Description

An issue was discovered in Pidgin before 2.14.9. A remote attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain, allowing the attacker to take over control over the XMPP connection and to obtain user credentials and all communication content. This is similar to CVE-2022-24968.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://mail.jabber.org/pipermail/standards/2022-February/038759.html

x_refsource_MISC

https://github.com/xsf/xeps/pull/1158

x_refsource_MISC

https://developer.pidgin.im/wiki/FullChangeLog

x_refsource_MISC

https://pidgin.im/about/security/advisories/cve-2022-26491/

x_refsource_MISC

https://keep.imfreedom.org/pidgin/pidgin/rev/13cdb7956bdc

x_refsource_MISC

[debian-lts-announce] 20220606 [SECURITY] [DLA 3043-1] pidgin security update

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.