Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2011-1428

Overview

Vulnerability Score 5.8 5.8
CVE Id CVE-2011-1428
Last Modified 22 Mar 2011 12:00:00
Published 16 Mar 2011 06:55:04
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2011-1428

Summary

Wee Enhanced Environment for Chat (aka WeeChat) 0.3.4 and earlier does not properly verify that the server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof an SSL chat server via an arbitrary certificate, related to incorrect use of the GnuTLS API.

Vulnerable Systems

Application

  • Flashtux Weechat 0.0.1

  • Flashtux Weechat 0.0.2

  • Flashtux Weechat 0.0.3

  • Flashtux Weechat 0.0.4

  • Flashtux Weechat 0.0.5

  • Flashtux Weechat 0.0.6

  • Flashtux Weechat 0.0.7

  • Flashtux Weechat 0.0.8

  • Flashtux Weechat 0.0.9

  • Flashtux Weechat 0.1.0

  • Flashtux Weechat 0.1.1

  • Flashtux Weechat 0.1.2

  • Flashtux Weechat 0.1.3

  • Flashtux Weechat 0.1.4

  • Flashtux Weechat 0.1.5

  • Flashtux Weechat 0.1.6

  • Flashtux Weechat 0.1.7

  • Flashtux Weechat 0.1.8

  • Flashtux Weechat 0.1.9

  • Flashtux Weechat 0.2.0

  • Flashtux Weechat 0.2.1

  • Flashtux Weechat 0.2.2

  • Flashtux Weechat 0.2.3

  • Flashtux Weechat 0.2.4

  • Flashtux Weechat 0.2.5

  • Flashtux Weechat 0.2.6

  • Flashtux Weechat 0.2.6.1

  • Flashtux Weechat 0.2.6.2

  • Flashtux Weechat 0.2.6.3

  • Flashtux Weechat 0.3.0

  • Flashtux Weechat 0.3.1

  • Flashtux Weechat 0.3.1.1

  • Flashtux Weechat 0.3.2

  • Flashtux Weechat 0.3.3

  • Flashtux Weechat 0.3.4


References

CONFIRM - http://savannah.nongnu.org/patch/index.php?7459

CONFIRM - http://git.savannah.gnu.org/gitweb/?p=weechat.git;a=commit;h=c265cad1c95b84abfd4e8d861f25926ef13b5d91

BID - 46612

SECUNIA - 43543

FULLDISC - 20110227 weechat does not properly use gnutls and allow an attacker to bypass certificate verification


Last Updated: 27 May 2016 10:56:19