Vulnerability Description
Gajim through 0.16.7 unconditionally implements the "XEP-0146: Remote Controlling Clients" extension. This can be abused by malicious XMPP servers to, for example, extract plaintext from OTR encrypted sessions.
CVSS Score
4.5
MEDIUM
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gajim | Gajim | <= 0.16.7 |
Related Weaknesses (CWE)
References
- http://www.debian.org/security/2017/dsa-3943
- https://bugs.debian.org/863445Third Party Advisory
- https://dev.gajim.org/gajim/gajim/commit/cb65cfc5aed9efe05208ebbb7fb2d41fcf7253cPatchVendor Advisory
- https://dev.gajim.org/gajim/gajim/issues/8378PatchVendor Advisory
- https://mail.jabber.org/pipermail/standards/2016-August/031335.htmlMailing ListThird Party Advisory
- https://security.gentoo.org/glsa/201707-14
- http://www.debian.org/security/2017/dsa-3943
- https://bugs.debian.org/863445Third Party Advisory
- https://dev.gajim.org/gajim/gajim/commit/cb65cfc5aed9efe05208ebbb7fb2d41fcf7253cPatchVendor Advisory
- https://dev.gajim.org/gajim/gajim/issues/8378PatchVendor Advisory
- https://mail.jabber.org/pipermail/standards/2016-August/031335.htmlMailing ListThird Party Advisory
- https://security.gentoo.org/glsa/201707-14
FAQ
What is CVE-2016-10376?
CVE-2016-10376 is a vulnerability with a CVSS score of 4.5 (MEDIUM). Gajim through 0.16.7 unconditionally implements the "XEP-0146: Remote Controlling Clients" extension. This can be abused by malicious XMPP servers to, for example, extract plaintext from OTR encrypted...
How severe is CVE-2016-10376?
CVE-2016-10376 has been rated MEDIUM with a CVSS base score of 4.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-10376?
Check the references section above for vendor advisories and patch information. Affected products include: Gajim Gajim.