CVE-2022-28352

{"id": "CVE-2022-28352", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "HIGH", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 4.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.2}]}, "published": "2022-04-02T17:15:07.997", "references": [{"url": "https://github.com/weechat/weechat/issues/1763", "tags": ["Exploit", "Issue Tracking", "Mitigation", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://weechat.org/doc/security/WSA-2022-1/", "tags": ["Exploit", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/weechat/weechat/issues/1763", "tags": ["Exploit", "Issue Tracking", "Mitigation", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://weechat.org/doc/security/WSA-2022-1/", "tags": ["Exploit", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "WeeChat (aka Wee Enhanced Environment for Chat) 3.2 to 3.4 before 3.4.1 does not properly verify the TLS certificate of the server, after certain GnuTLS options are changed, which allows man-in-the-middle attackers to spoof a TLS chat server via an arbitrary certificate. NOTE: this only affects situations where weechat.network.gnutls_ca_system or weechat.network.gnutls_ca_user is changed without a WeeChat restart."}, {"lang": "es", "value": "WeeChat (tambi\u00e9n se conoce como Wee Enhanced Environment for Chat) versiones 3.2 a 3.4 anteriores a 3.4.1 no verifica correctamente el certificado TLS del servidor, despu\u00e9s de que sean cambiadas determinadas opciones de GnuTLS, lo que permite a atacantes d tipo man-in-the-middle falsificar un servidor de chat TLS por medio de un certificado arbitrario. NOTA: esto s\u00f3lo afecta a las situaciones en las que weechat.network.gnutls_ca_system o weechat.network.gnutls_ca_user son cambiadas sin reiniciar WeeChat"}], "lastModified": "2024-11-21T06:57:11.787", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:weechat:weechat:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4EDD442A-1B0F-4744-A635-72A8F58F8F89", "versionEndExcluding": "3.4.1", "versionStartIncluding": "3.2"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}