CVE-2022-26491 — MEDIUM (5.9)

Q: How severe is CVE-2022-26491?

CVE-2022-26491 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-26491?

Check the references section above for vendor advisories and patch information. Affected products include: Pidgin Pidgin, Debian Debian Linux.

Vulnerability Description

An issue was discovered in Pidgin before 2.14.9. A remote attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain, allowing the attacker to take over control over the XMPP connection and to obtain user credentials and all communication content. This is similar to CVE-2022-24968.

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Pidgin	Pidgin	< 2.14.9
Debian	Debian Linux	9.0

Related Weaknesses (CWE)

CWE-295

References

https://developer.pidgin.im/wiki/FullChangeLogRelease NotesVendor Advisory
https://github.com/xsf/xeps/pull/1158PatchThird Party Advisory
https://keep.imfreedom.org/pidgin/pidgin/rev/13cdb7956bdcPatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/06/msg00005.htmlMailing ListThird Party Advisory
https://mail.jabber.org/pipermail/standards/2022-February/038759.htmlMailing ListThird Party Advisory
https://pidgin.im/about/security/advisories/cve-2022-26491/Vendor Advisory
https://developer.pidgin.im/wiki/FullChangeLogRelease NotesVendor Advisory
https://github.com/xsf/xeps/pull/1158PatchThird Party Advisory
https://keep.imfreedom.org/pidgin/pidgin/rev/13cdb7956bdcPatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/06/msg00005.htmlMailing ListThird Party Advisory
https://mail.jabber.org/pipermail/standards/2022-February/038759.htmlMailing ListThird Party Advisory
https://pidgin.im/about/security/advisories/cve-2022-26491/Vendor Advisory

FAQ

What is CVE-2022-26491?

CVE-2022-26491 is a vulnerability with a CVSS score of 5.9 (MEDIUM). An issue was discovered in Pidgin before 2.14.9. A remote attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verificat...

How severe is CVE-2022-26491?

CVE-2022-26491 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-26491?

Check the references section above for vendor advisories and patch information. Affected products include: Pidgin Pidgin, Debian Debian Linux.