{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2009-08-22T00:00:00", "descriptions": [{"lang": "en", "value": "protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the \"require TLS/SSL\" preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-18T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "36368", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/36368"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://developer.pidgin.im/viewmtn/revision/diff/312e056d702d29379ea61aea9d27765f127bc888/with/55897c4ce0787edc1e7721b7f4a9b5cbc8357279"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://developer.pidgin.im/ticket/8131"}, {"name": "37071", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/37071"}, {"name": "[oss-security] 20090824 CVE id request: pidgin", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2009/08/24/2"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542891"}, {"name": "pidgin-libpurple-weak-security(53000)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53000"}, {"name": "oval:org.mitre.oval:def:5757", "tags": ["vdb-entry", "signature", "x_refsource_OVAL"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5757"}, {"name": "oval:org.mitre.oval:def:11070", "tags": ["vdb-entry", "signature", "x_refsource_OVAL"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11070"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2009-3026", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the \"require TLS/SSL\" preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "36368", "refsource": "BID", "url": "http://www.securityfocus.com/bid/36368"}, {"name": "http://developer.pidgin.im/viewmtn/revision/diff/312e056d702d29379ea61aea9d27765f127bc888/with/55897c4ce0787edc1e7721b7f4a9b5cbc8357279", "refsource": "CONFIRM", "url": "http://developer.pidgin.im/viewmtn/revision/diff/312e056d702d29379ea61aea9d27765f127bc888/with/55897c4ce0787edc1e7721b7f4a9b5cbc8357279"}, {"name": "http://developer.pidgin.im/ticket/8131", "refsource": "CONFIRM", "url": "http://developer.pidgin.im/ticket/8131"}, {"name": "37071", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/37071"}, {"name": "[oss-security] 20090824 CVE id request: pidgin", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2009/08/24/2"}, {"name": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542891", "refsource": "CONFIRM", "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542891"}, {"name": "pidgin-libpurple-weak-security(53000)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53000"}, {"name": "oval:org.mitre.oval:def:5757", "refsource": "OVAL", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5757"}, {"name": "oval:org.mitre.oval:def:11070", "refsource": "OVAL", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11070"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T06:14:55.553Z"}, "title": "CVE Program Container", "references": [{"name": "36368", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/36368"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://developer.pidgin.im/viewmtn/revision/diff/312e056d702d29379ea61aea9d27765f127bc888/with/55897c4ce0787edc1e7721b7f4a9b5cbc8357279"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://developer.pidgin.im/ticket/8131"}, {"name": "37071", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/37071"}, {"name": "[oss-security] 20090824 CVE id request: pidgin", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2009/08/24/2"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542891"}, {"name": "pidgin-libpurple-weak-security(53000)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53000"}, {"name": "oval:org.mitre.oval:def:5757", "tags": ["vdb-entry", "signature", "x_refsource_OVAL", "x_transferred"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5757"}, {"name": "oval:org.mitre.oval:def:11070", "tags": ["vdb-entry", "signature", "x_refsource_OVAL", "x_transferred"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11070"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2009-3026", "datePublished": "2009-08-31T20:00:00", "dateReserved": "2009-08-31T00:00:00", "dateUpdated": "2024-08-07T06:14:55.553Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pidgin:pidgin:2.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "A8321D92-B935-4C2A-81B1-5984BFF4FD57", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the \"require TLS/SSL\" preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions."}, {"lang": "es", "value": "protocols/jabber/auth.c en libpurple en Pidgin v2.6.0, y posiblemente otras versiones, no siguen las preferencias \"requeridas en TSL/SSL\" cuando se conectan a un servidor Jabber viejo, que no siguen las especificaciones XMPP, lo que provoca que libpurple se conecte al servidor sin el cifrado esperado y permita a atacantes remotos poder esp\u00edar la sesi\u00f3n."}], "id": "CVE-2009-3026", "lastModified": "2017-09-19T01:29:24.873", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2009-08-31T20:30:01.140", "references": [{"source": "cve@mitre.org", "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542891"}, {"source": "cve@mitre.org", "url": "http://developer.pidgin.im/ticket/8131"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://developer.pidgin.im/viewmtn/revision/diff/312e056d702d29379ea61aea9d27765f127bc888/with/55897c4ce0787edc1e7721b7f4a9b5cbc8357279"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/37071"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2009/08/24/2"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/36368"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53000"}, {"source": "cve@mitre.org", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11070"}, {"source": "cve@mitre.org", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5757"}], "sourceIdentifier": "cve@mitre.org", "vendorComments": [{"comment": "Red Hat has released updates to correct this issue:\nhttps://rhn.redhat.com/errata/RHSA-2009-1453.html", "lastModified": "2009-09-22T00:00:00", "organization": "Red Hat"}], "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-310"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2009:1453", "cpe": "cpe:/o:redhat:enterprise_linux:4", "package": "pidgin-0:2.6.2-2.el4", "product_name": "Red Hat Enterprise Linux 4", "release_date": "2009-09-21T00:00:00Z"}, {"advisory": "RHSA-2009:1453", "cpe": "cpe:/o:redhat:enterprise_linux:5", "package": "pidgin-0:2.6.2-2.el5", "product_name": "Red Hat Enterprise Linux 5", "release_date": "2009-09-21T00:00:00Z"}], "bugzilla": {"description": "pidgin: ignores SSL/TLS requirements with old jabber servers", "id": "519224", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=519224"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "verified"}, "details": ["protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the \"require TLS/SSL\" preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions."], "name": "CVE-2009-3026", "public_date": "2009-01-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2009-3026\nhttps://nvd.nist.gov/vuln/detail/CVE-2009-3026"], "threat_severity": "Low"}