PT-2022-17898 · Pidgin+4 · Pidgin+4

Moparisthebest

Published

2022-04-28

Updated

2025-03-26

CVE-2022-26491

CVSS v2.0

6.2

Medium

Vector

AV:A/AC:H/Au:N/C:C/I:C/A:N

Name of the Vulnerable Software and Affected Versions Pidgin versions prior to 2.14.9

Description A remote attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain, allowing the attacker to take control over the XMPP connection and obtain user credentials and all communication content. This issue can be exploited when DNSSEC is not used.

Recommendations For versions prior to 2.14.9, update to version 2.14.9 or later to resolve the issue. As a temporary workaround, consider enabling DNSSEC to minimize the risk of DNS spoofing. Restrict access to sensitive information and communication content until the update is applied.

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-295CWE-924

Related Identifiers

ALT-PU-2023-5431

ALT-PU-2023-5433

ALT-PU-2023-5434

ALT-PU-2023-5437

BDU:2025-03801

CVE-2022-26491

DLA-3043-1

MGASA-2022-0208

OPENSUSE-SU-2022_1665-1

OPENSUSE-SU-2024:12036-1

ROSA-SA-2023-2186

SUSE-SU-2022:1664-1

SUSE-SU-2022:1665-1

SUSE-SU-2022:1693-1

SUSE-SU-2022_1664-1

SUSE-SU-2022_1665-1

SUSE-SU-2022_1693-1

Affected Products

Alt Linux

Debian

Pidgin

Red Os

Suse

PT-2022-17898 · Pidgin+4 · Pidgin+4

CVE-2022-26491

Weakness Enumeration

Related Identifiers

Affected Products

References · 43