CVE-2022-28352

Published: Apr 2, 2022Modified: Nov 21, 2024

4.8

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Exploitability: 2.2 / Impact: 2.5

Source: NVD

Description

WeeChat (aka Wee Enhanced Environment for Chat) 3.2 to 3.4 before 3.4.1 does not properly verify the TLS certificate of the server, after certain GnuTLS options are changed, which allows man-in-the-middle attackers to spoof a TLS chat server via an arbitrary certificate. NOTE: this only affects situations where weechat.network.gnutls_ca_system or weechat.network.gnutls_ca_user is changed without a WeeChat restart.

Affected (1)

Products: Weechat: Weechat

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Weechat Weechat	From 3.2 to 3.4.1

Related CWEs

Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

References (4)

https://github.com/weechat/weechat/issues/1763

Source: cve@mitre.org

ExploitIssue TrackingMitigationThird Party Advisory

https://weechat.org/doc/security/WSA-2022-1/

Source: cve@mitre.org

ExploitVendor Advisory

https://github.com/weechat/weechat/issues/1763

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingMitigationThird Party Advisory

https://weechat.org/doc/security/WSA-2022-1/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitVendor Advisory

Timeline

No history available yet.