CVE-2017-5592

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2017-5592
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-5592.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-5592
Downstream
Published
2017-02-09T20:59:00.293Z
Modified
2026-04-11T04:59:42.171349Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for profanity (0.4.7 - 0.5.0).

References

Affected packages

Git / github.com/profanity-im/profanity

Affected ranges

Type
GIT
Repo
https://github.com/profanity-im/profanity
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
60acf6f05be8f121b0d06b65cea484fd30ac7925
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
4c049fb347b30841179cc10ec4204200fcd603dc
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
662f9911961eccf52c51e7e1c2fc7a925ab335be
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
b5233064ccd10019b5aca93ae4cc2f883e206c70
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
4c049fb347b30841179cc10ec4204200fcd603dc
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
6d274ba846caea15be4f9089235a72000f59a5eb
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
ea9216f05484e7935f7d1772c2788f44fdf52eb7
Fixed
8e75437a7e43d4c55e861691f74892e666e29b0b
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.4.7-NA"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.4.7-cyg1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.4.7-cyg2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.4.7-cyg3"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.4.7-patch1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.5.0-NA"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.5.0-rc1"
        }
    ]
}

Affected versions

0.*
0.1.10
0.1.7
0.1.8
0.2.0
0.3.0
0.3.0.rc1
0.3.0.rc2
0.3.0.rc3
0.4.0
0.4.0.rc1
0.4.0.rc2
0.4.1
0.4.1.rc1
0.4.1.rc2
0.4.2
0.4.3
0.4.3.rc1
0.4.3.rc2
0.4.3.rc3
0.4.4
0.4.5
0.4.5.rc1
0.4.6.rc1
0.4.7
0.4.7.cyg1
0.4.7.cyg2
0.4.7.cyg3
0.4.7.patch1
0.4.7.rc1
0.4.7.rc2
0.5.0
0.5.0.rc1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-5592.json"
vanir_signatures_modified 
"2026-04-11T04:59:42Z"
vanir_signatures 
[
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "43674570987415379562834289238571991228",
                "85997097170914970319998696623555001435",
                "199915616696410343235400945864382345600",
                "67141778361390527333760574197905403924"
            ]
        },
        "deprecated": false,
        "signature_type": "Line",
        "id": "CVE-2017-5592-605a0cf6",
        "signature_version": "v1",
        "source": "https://github.com/profanity-im/profanity/commit/8e75437a7e43d4c55e861691f74892e666e29b0b",
        "target": {
            "file": "tests/functionaltests/test_carbons.c"
        }
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "269672725800911013049720229985177148429",
                "147937880059459280781124999408304611935",
                "98013001733306130113818985562635411688",
                "48435102129655158876459487600381447272",
                "274643813655947615398101824109268710667",
                "323088572927188402907203319880457121370",
                "9590343397176827005811879247126636121"
            ]
        },
        "deprecated": false,
        "signature_type": "Line",
        "id": "CVE-2017-5592-838b1a83",
        "signature_version": "v1",
        "source": "https://github.com/profanity-im/profanity/commit/8e75437a7e43d4c55e861691f74892e666e29b0b",
        "target": {
            "file": "src/xmpp/message.c"
        }
    },
    {
        "digest": {
            "length": 1119.0,
            "function_hash": "44724400157544853113936891218358527427"
        },
        "deprecated": false,
        "signature_type": "Function",
        "id": "CVE-2017-5592-8d394e89",
        "signature_version": "v1",
        "source": "https://github.com/profanity-im/profanity/commit/8e75437a7e43d4c55e861691f74892e666e29b0b",
        "target": {
            "function": "receive_carbon",
            "file": "tests/functionaltests/test_carbons.c"
        }
    }
]