CVE-2022-28352
MEDIUMWeeChat 3.2-3.4 - Improper Certificate Validation via GnuTLS Option Change
Title source: llmDescription
WeeChat (aka Wee Enhanced Environment for Chat) 3.2 to 3.4 before 3.4.1 does not properly verify the TLS certificate of the server, after certain GnuTLS options are changed, which allows man-in-the-middle attackers to spoof a TLS chat server via an arbitrary certificate. NOTE: this only affects situations where weechat.network.gnutls_ca_system or weechat.network.gnutls_ca_user is changed without a WeeChat restart.
References (2)
Core 2
Core References
Exploit, Vendor Advisory x_refsource_misc
https://weechat.org/doc/security/WSA-2022-1/
Exploit, Issue Tracking, Mitigation, Third Party Advisory x_refsource_misc
https://github.com/weechat/weechat/issues/1763
Scores
CVSS v3
4.3
EPSS
0.0043
EPSS Percentile
33.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Details
CWE
CWE-295
Status
published
Products (1)
weechat/weechat
3.2 - 3.4.1
Published
Apr 02, 2022
Tracked Since
Feb 18, 2026