PT-2011-3123 · Weechat · Weechat

Gu1

Published

2011-03-16

Updated

2011-03-22

CVE-2011-1428

CVSS v2.0

5.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions Wee Enhanced Environment for Chat (aka WeeChat) versions 0.3.4 and earlier

Description The issue arises from improper verification that the server hostname matches the domain name of the subject of an X.509 certificate. This allows man-in-the-middle attackers to spoof an SSL chat server via an arbitrary certificate, due to incorrect use of the GnuTLS API.

Recommendations For Wee Enhanced Environment for Chat (aka WeeChat) versions 0.3.4 and earlier, update to a version that properly verifies the server hostname against the domain name of the X.509 certificate subject.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2011-1428

DSA-2598-1

Affected Products

Weechat

PT-2011-3123 · Weechat · Weechat

CVE-2011-1428

Weakness Enumeration

Related Identifiers

Affected Products

References · 12