CVE-2022-28352

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-28352

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-28352.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-28352

Downstream

UBUNTU-CVE-2022-28352

Published

2022-04-02T17:15:07Z

Modified

2025-09-24T03:11:35.046596Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

WeeChat (aka Wee Enhanced Environment for Chat) 3.2 to 3.4 before 3.4.1 does not properly verify the TLS certificate of the server, after certain GnuTLS options are changed, which allows man-in-the-middle attackers to spoof a TLS chat server via an arbitrary certificate. NOTE: this only affects situations where weechat.network.gnutlscasystem or weechat.network.gnutlscauser is changed without a WeeChat restart.

References

Affected packages

Git / github.com/weechat/weechat

Affected ranges

Type: GIT
Repo: https://github.com/weechat/weechat
Events: Introduced

70c09f1f5a4b317037330699d5cedfe96a54e05c

Fixed

e04047be68afc90491cfc2ed12a3ffc19a1decb4

Affected versions

v3.*

v3.2

v3.3

v3.3-rc1

v3.4

v3.4-rc1