CVE-2017-5591 — MEDIUM (5.9)

Q: How severe is CVE-2017-5591?

CVE-2017-5591 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2017-5591?

Check the references section above for vendor advisories and patch information. Affected products include: Sleekxmpp Project Sleekxmpp, Slixmpp Project Slixmpp, Poezio Poezio.

Vulnerability Description

An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for SleekXMPP up to 1.3.1 and Slixmpp all versions up to 1.2.3, as bundled in poezio (0.8 - 0.10) and other products.

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Sleekxmpp Project	Sleekxmpp	<= 1.3.1
Slixmpp Project	Slixmpp	<= 1.2.3
Poezio	Poezio	0.8

Related Weaknesses (CWE)

CWE-20 CWE-346

References

http://openwall.com/lists/oss-security/2017/02/09/29ExploitMailing ListThird Party Advisory
http://www.securityfocus.com/bid/96166Third Party AdvisoryVDB Entry
https://github.com/poezio/slixmpp/commit/22664ee7b86c8e010f312b66d12590fb47160adPatch
https://rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons/ExploitTechnical DescriptionThird Party Advisory
https://rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdExploitTechnical DescriptionThird Party Advisory
http://openwall.com/lists/oss-security/2017/02/09/29ExploitMailing ListThird Party Advisory
http://www.securityfocus.com/bid/96166Third Party AdvisoryVDB Entry
https://github.com/poezio/slixmpp/commit/22664ee7b86c8e010f312b66d12590fb47160adPatch
https://rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons/ExploitTechnical DescriptionThird Party Advisory
https://rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdExploitTechnical DescriptionThird Party Advisory

FAQ

What is CVE-2017-5591?

CVE-2017-5591 is a vulnerability with a CVSS score of 5.9 (MEDIUM). An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This ...

How severe is CVE-2017-5591?

CVE-2017-5591 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-5591?

Check the references section above for vendor advisories and patch information. Affected products include: Sleekxmpp Project Sleekxmpp, Slixmpp Project Slixmpp, Poezio Poezio.