CVE-2016-9928 — HIGH (7.4) — White Hats Nepal

Q: How severe is CVE-2016-9928?

CVE-2016-9928 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2016-9928?

Check the references section above for vendor advisories and patch information. Affected products include: Mcabber Mcabber, Canonical Ubuntu Linux, Debian Debian Linux.

Vulnerability Description

MCabber before 1.0.4 is vulnerable to roster push attacks, which allows remote attackers to intercept communications, or add themselves as an entity on a 3rd party's roster as another user, which will also garner associated privileges, via crafted XMPP packets.

CVSS Score

7.4

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Mcabber	Mcabber	>= 1.0.0, < 1.0.4
Canonical	Ubuntu Linux	16.04
Debian	Debian Linux	8.0

Related Weaknesses (CWE)

CWE-269

References

http://lists.opensuse.org/opensuse-updates/2017-01/msg00130.htmlMailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2016/12/11/2Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2017/02/09/29Mailing ListThird Party Advisory
http://www.securityfocus.com/bid/94862Third Party AdvisoryVDB Entry
https://bitbucket.org/McKael/mcabber-crew/commits/6e1ead98930d7dd0a520ad17c720aePatchThird Party Advisory
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845258ExploitThird Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1403790ExploitIssue TrackingThird Party Advisory
https://gultsch.de/gajim_roster_push_and_message_interception.htmlThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/06/msg00031.htmlMailing ListThird Party Advisory
https://usn.ubuntu.com/4506-1/Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2017-01/msg00130.htmlMailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2016/12/11/2Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2017/02/09/29Mailing ListThird Party Advisory
http://www.securityfocus.com/bid/94862Third Party AdvisoryVDB Entry
https://bitbucket.org/McKael/mcabber-crew/commits/6e1ead98930d7dd0a520ad17c720aePatchThird Party Advisory

FAQ

What is CVE-2016-9928?

CVE-2016-9928 is a vulnerability with a CVSS score of 7.4 (HIGH). MCabber before 1.0.4 is vulnerable to roster push attacks, which allows remote attackers to intercept communications, or add themselves as an entity on a 3rd party's roster as another user, which will...

How severe is CVE-2016-9928?

CVE-2016-9928 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-9928?

Check the references section above for vendor advisories and patch information. Affected products include: Mcabber Mcabber, Canonical Ubuntu Linux, Debian Debian Linux.