CVE-2014-3694 — MEDIUM (6.4)

Q: How severe is CVE-2014-3694?

CVE-2014-3694 has been rated MEDIUM with a CVSS base score of 6.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2014-3694?

Check the references section above for vendor advisories and patch information. Affected products include: Opensuse Opensuse, Canonical Ubuntu Linux, Debian Debian Linux, Pidgin Pidgin.

Vulnerability Description

The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVSS Score

6.4

MEDIUM

AV:N/AC:L/Au:N/C:P/I:P/A:N

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

NONE

Affected Products

Vendor	Product	Versions
Opensuse	Opensuse	12.3
Canonical	Ubuntu Linux	12.04
Debian	Debian Linux	7.0
Pidgin	Pidgin	<= 2.10.9

Related Weaknesses (CWE)

CWE-310

References

http://hg.pidgin.im/pidgin/main/rev/2e4475087f04Issue Tracking
http://lists.opensuse.org/opensuse-updates/2014-11/msg00023.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2014-11/msg00037.htmlThird Party Advisory
http://pidgin.im/news/security/?id=86PatchVendor Advisory
http://secunia.com/advisories/60741
http://secunia.com/advisories/61968
http://www.debian.org/security/2014/dsa-3055Third Party Advisory
http://www.ubuntu.com/usn/USN-2390-1Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1854
http://hg.pidgin.im/pidgin/main/rev/2e4475087f04Issue Tracking
http://lists.opensuse.org/opensuse-updates/2014-11/msg00023.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2014-11/msg00037.htmlThird Party Advisory
http://pidgin.im/news/security/?id=86PatchVendor Advisory
http://secunia.com/advisories/60741
http://secunia.com/advisories/61968

FAQ

What is CVE-2014-3694?

CVE-2014-3694 is a vulnerability with a CVSS score of 6.4 (MEDIUM). The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X...

How severe is CVE-2014-3694?

CVE-2014-3694 has been rated MEDIUM with a CVSS base score of 6.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2014-3694?

Check the references section above for vendor advisories and patch information. Affected products include: Opensuse Opensuse, Canonical Ubuntu Linux, Debian Debian Linux, Pidgin Pidgin.