CVE-2016-9928

Published: Feb 6, 2020Modified: Nov 21, 2024

7.4

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Exploitability: 2.2 / Impact: 5.2

Source: NVD

Description

MCabber before 1.0.4 is vulnerable to roster push attacks, which allows remote attackers to intercept communications, or add themselves as an entity on a 3rd party's roster as another user, which will also garner associated privileges, via crafted XMPP packets.

Affected (3)

Products: Mcabber: Mcabber · Canonical: Ubuntu Linux · Debian: Debian Linux

1 product

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mcabber Mcabber	From 1.0.0 to 1.0.4

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 16.04

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 8.0

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (20)

http://lists.opensuse.org/opensuse-updates/2017-01/msg00130.html

Source: security@debian.org

Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2016/12/11/2

Source: security@debian.org

Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2017/02/09/29

Source: security@debian.org

Mailing ListThird Party Advisory

http://www.securityfocus.com/bid/94862

Source: security@debian.org

Third Party AdvisoryVDB Entry

https://bitbucket.org/McKael/mcabber-crew/commits/6e1ead98930d7dd0a520ad17c720ae4908429033/raw

Source: security@debian.org

PatchThird Party Advisory

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845258

Source: security@debian.org

ExploitThird Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1403790

Source: security@debian.org

ExploitIssue TrackingThird Party Advisory

https://gultsch.de/gajim_roster_push_and_message_interception.html

Source: security@debian.org

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2020/06/msg00031.html

Source: security@debian.org

Mailing ListThird Party Advisory

https://usn.ubuntu.com/4506-1/

Source: security@debian.org

Third Party Advisory

http://lists.opensuse.org/opensuse-updates/2017-01/msg00130.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2016/12/11/2

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2017/02/09/29

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

http://www.securityfocus.com/bid/94862

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://bitbucket.org/McKael/mcabber-crew/commits/6e1ead98930d7dd0a520ad17c720ae4908429033/raw

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845258

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1403790

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingThird Party Advisory

https://gultsch.de/gajim_roster_push_and_message_interception.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2020/06/msg00031.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://usn.ubuntu.com/4506-1/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.