CVE-2022-28352
Last modified
CVE-2022-28352 is a medium-severity vulnerability rated 4.8/10 on the CVSS scale. WeeChat (aka Wee Enhanced Environment for Chat) 3.2 to 3.4 before 3.4.1 does not properly verify the TLS certificate of the server, after certain GnuTLS options are changed, which allows man-in-the-middle attackers to spoof a TLS chat server via an arbitrary certificate. NOTE: this only affects situations where weechat.network.gnutls_ca_system or weechat.network.gnutls_ca_user is changed without a WeeChat restart.. EPSS estimates a 0.43% chance of exploitation in the next 30 days.
Description
WeeChat (aka Wee Enhanced Environment for Chat) 3.2 to 3.4 before 3.4.1 does not properly verify the TLS certificate of the server, after certain GnuTLS options are changed, which allows man-in-the-middle attackers to spoof a TLS chat server via an arbitrary certificate. NOTE: this only affects situations where weechat.network.gnutls_ca_system or weechat.network.gnutls_ca_user is changed without a WeeChat restart.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Weechat | Weechat | >= 3.2, < 3.4.1 |
References
- https://github.com/weechat/weechat/issues/1763Exploit, Issue Tracking, Mitigation, Third Party Advisory
- https://weechat.org/doc/security/WSA-2022-1/Exploit, Vendor Advisory
- https://github.com/weechat/weechat/issues/1763Exploit, Issue Tracking, Mitigation, Third Party Advisory
- https://weechat.org/doc/security/WSA-2022-1/Exploit, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-28352?
How severe is CVE-2022-28352?
How do I fix CVE-2022-28352?
Are you affected by CVE-2022-28352?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST