CVE-2022-26491
MEDIUMPidgin < 2.14.9 - Improper Certificate Validation via DNS Spoofing
Title source: llmDescription
An issue was discovered in Pidgin before 2.14.9. A remote attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain, allowing the attacker to take over control over the XMPP connection and to obtain user credentials and all communication content. This is similar to CVE-2022-24968.
References (6)
Core 6
Core References
Mailing List, Third Party Advisory x_refsource_misc
https://mail.jabber.org/pipermail/standards/2022-February/038759.html
Patch, Third Party Advisory x_refsource_misc
https://github.com/xsf/xeps/pull/1158
Release Notes, Vendor Advisory x_refsource_misc
https://developer.pidgin.im/wiki/FullChangeLog
Vendor Advisory x_refsource_misc
https://pidgin.im/about/security/advisories/cve-2022-26491/
Patch, Third Party Advisory x_refsource_misc
https://keep.imfreedom.org/pidgin/pidgin/rev/13cdb7956bdc
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2022/06/msg00005.html
Scores
CVSS v3
5.9
EPSS
0.0120
EPSS Percentile
79.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-295
Status
published
Products (2)
debian/debian_linux
9.0
pidgin/pidgin
< 2.14.9
Published
Jun 02, 2022
Tracked Since
Feb 18, 2026