CVE-2022-28352

WeeChat (aka Wee Enhanced Environment for Chat) 3.2 to 3.4 before 3.4.1 does not properly verify the TLS certificate of the server, after certain GnuTLS options are changed, which allows man-in-the-middle attackers to spoof a TLS chat server via an arbitrary certificate. NOTE: this only affects situations where weechat.network.gnutls_ca_system or weechat.network.gnutls_ca_user is changed without a WeeChat restart.
References
Link Resource
https://github.com/weechat/weechat/issues/1763 Exploit Issue Tracking Mitigation Third Party Advisory
https://weechat.org/doc/security/WSA-2022-1/ Exploit Vendor Advisory
https://github.com/weechat/weechat/issues/1763 Exploit Issue Tracking Mitigation Third Party Advisory
https://weechat.org/doc/security/WSA-2022-1/ Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:weechat:weechat:*:*:*:*:*:*:*:*

History

21 Nov 2024, 06:57

Type Values Removed Values Added
References () https://github.com/weechat/weechat/issues/1763 - Exploit, Issue Tracking, Mitigation, Third Party Advisory () https://github.com/weechat/weechat/issues/1763 - Exploit, Issue Tracking, Mitigation, Third Party Advisory
References () https://weechat.org/doc/security/WSA-2022-1/ - Exploit, Vendor Advisory () https://weechat.org/doc/security/WSA-2022-1/ - Exploit, Vendor Advisory
CVSS v2 : 4.0
v3 : 4.8
v2 : 4.0
v3 : 4.3

13 Apr 2022, 18:33

Type Values Removed Values Added
CPE cpe:2.3:a:weechat:weechat:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : 4.0
v3 : 4.8
References (MISC) https://weechat.org/doc/security/WSA-2022-1/ - (MISC) https://weechat.org/doc/security/WSA-2022-1/ - Exploit, Vendor Advisory
References (MISC) https://github.com/weechat/weechat/issues/1763 - (MISC) https://github.com/weechat/weechat/issues/1763 - Exploit, Issue Tracking, Mitigation, Third Party Advisory
CWE CWE-295

02 Apr 2022, 17:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-04-02 17:15

Updated : 2024-11-21 06:57


NVD link : CVE-2022-28352

Mitre link : CVE-2022-28352

CVE.ORG link : CVE-2022-28352


JSON object : View

Products Affected

weechat

  • weechat
CWE
CWE-295

Improper Certificate Validation