CVE-2022-28352

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-28352

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-28352.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-28352

Related

UBUNTU-CVE-2022-28352

Published

2022-04-02T17:15:07Z

Modified

2025-01-14T10:54:36.411441Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

WeeChat (aka Wee Enhanced Environment for Chat) 3.2 to 3.4 before 3.4.1 does not properly verify the TLS certificate of the server, after certain GnuTLS options are changed, which allows man-in-the-middle attackers to spoof a TLS chat server via an arbitrary certificate. NOTE: this only affects situations where weechat.network.gnutlscasystem or weechat.network.gnutlscauser is changed without a WeeChat restart.

References

Affected packages

Debian:12 / weechat

Package

Name: weechat
Purl: pkg:deb/debian/weechat?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / weechat

Package

Name: weechat
Purl: pkg:deb/debian/weechat?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/weechat/weechat

Affected ranges

Type: GIT
Repo: https://github.com/weechat/weechat
Events: Introduced

70c09f1f5a4b317037330699d5cedfe96a54e05c

Fixed

e04047be68afc90491cfc2ed12a3ffc19a1decb4

Affected versions

v3.*

v3.2

v3.3

v3.3-rc1

v3.4

v3.4-rc1