GHSA-779w-xvpm-78jx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-779w-xvpm-78jx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-779w-xvpm-78jx/GHSA-779w-xvpm-78jx.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-779w-xvpm-78jx
- Aliases
- Published
- 2023-07-31T22:02:54Z
- Modified
- 2023-11-08T04:13:09.297521Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- twitch-tui's connection is not encrypted
- Details
-
Summary
The connection is not using TLS for communication
Details
In the configuration of the irc connection, you are disabling tls which makes all communication to twitch irc servers unencrypted.
PoC
You can verify by using tcpdump/wireshark that traffic is unencrypted.
Impact
Communication can be sniffed, even auth tokens.
- Database specific
{ "nvd_published_at": "2023-08-04T17:15:10Z", "cwe_ids": [ "CWE-311" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-07-31T22:02:54Z" }- References
-
- https://github.com/Xithrius/twitch-tui/security/advisories/GHSA-779w-xvpm-78jx
- https://nvd.nist.gov/vuln/detail/CVE-2023-38688
- https://github.com/Xithrius/twitch-tui/commit/74d13ddca35f8f0816f4933c229da1fd95c0350a
- https://github.com/Xithrius/twitch-tui
- https://github.com/Xithrius/twitch-tui/blob/340afc3c8c07a83289fe6ef614aa7563c8b70756/src/twitch/connection.rs#L23
Affected packages
crates.io / twitch-tui
Package
- Name
- twitch-tui
- View open source insights on deps.dev
- Purl
- pkg:cargo/twitch-tui