NVD Vulnerability Detail

CVE-2011-1428

Summary	Wee Enhanced Environment for Chat (aka WeeChat) 0.3.4 and earlier does not properly verify that the server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof an SSL chat server via an arbitrary certificate, related to incorrect use of the GnuTLS API.
Publication Date	March 17, 2011, 7:55 a.m.
Registration Date	Jan. 28, 2021, 4:38 p.m.
Last Update	Nov. 21, 2024, 10:26 a.m.

CVSS2.0 : MEDIUM
Score	5.8
Vector	AV:N/AC:M/Au:N/C:P/I:P/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	中
攻撃前の認証要否(Au)	不要
機密性への影響(C)	低
完全性への影響(I)	低
可用性への影響(A)	なし
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	はい

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:flashtux:weechat:0.2.3:::::::*
cpe:2.3:a:flashtux:weechat:0.2.6.3:::::::*
cpe:2.3:a:flashtux:weechat:0.0.4:::::::*
cpe:2.3:a:flashtux:weechat:0.2.6.1:::::::*
cpe:2.3:a:flashtux:weechat:0.1.8:::::::*
cpe:2.3:a:flashtux:weechat:0.3.1:::::::*
cpe:2.3:a:flashtux:weechat:0.1.0:::::::*
cpe:2.3:a:flashtux:weechat:0.0.2:::::::*
cpe:2.3:a:flashtux:weechat:0.3.2:::::::*
cpe:2.3:a:flashtux:weechat:0.1.7:::::::*
cpe:2.3:a:flashtux:weechat:0.1.1:::::::*
cpe:2.3:a:flashtux:weechat:0.1.3:::::::*
cpe:2.3:a:flashtux:weechat:0.0.7:::::::*
cpe:2.3:a:flashtux:weechat:0.0.5:::::::*
cpe:2.3:a:flashtux:weechat:0.1.9:::::::*
cpe:2.3:a:flashtux:weechat:0.2.6:::::::*
cpe:2.3:a:flashtux:weechat:0.3.0:::::::*
cpe:2.3:a:flashtux:weechat:0.1.5:::::::*
cpe:2.3:a:flashtux:weechat:0.1.6:::::::*
cpe:2.3:a:flashtux:weechat:0.2.6.2:::::::*
cpe:2.3:a:flashtux:weechat:0.1.4:::::::*
cpe:2.3:a:flashtux:weechat:0.0.8:::::::*
cpe:2.3:a:flashtux:weechat:0.2.1:::::::*
cpe:2.3:a:flashtux:weechat:0.0.1:::::::*
cpe:2.3:a:flashtux:weechat:0.3.1.1:::::::*
cpe:2.3:a:flashtux:weechat:0.2.0:::::::*
cpe:2.3:a:flashtux:weechat:0.0.9:::::::*
cpe:2.3:a:flashtux:weechat:0.0.6:::::::*
cpe:2.3:a:flashtux:weechat:0.2.2:::::::*
cpe:2.3:a:flashtux:weechat:0.1.2:::::::*
cpe:2.3:a:flashtux:weechat:0.0.3:::::::*
cpe:2.3:a:flashtux:weechat:0.3.3:::::::*
cpe:2.3:a:flashtux:weechat::::::::		0.3.4
cpe:2.3:a:flashtux:weechat:0.2.5:::::::*
cpe:2.3:a:flashtux:weechat:0.2.4:::::::*

Related information, measures and tools

No	URL	タグ
1	http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0671.html	Exploit
2	http://git.savannah.gnu.org/gitweb/?p=weechat.git%3Ba=commit%3Bh=c265cad1c95b84abfd4e8d861f25926ef13b5d91
3	http://savannah.nongnu.org/patch/index.php?7459	Exploit Patch
4	http://secunia.com/advisories/43543	Vendor Advisory
5	http://www.securityfocus.com/bid/46612
6	http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0671.html	Exploit
7	http://www.securityfocus.com/bid/46612
8	http://secunia.com/advisories/43543	Vendor Advisory
9	http://savannah.nongnu.org/patch/index.php?7459	Exploit Patch
10	http://git.savannah.gnu.org/gitweb/?p=weechat.git%3Ba=commit%3Bh=c265cad1c95b84abfd4e8d861f25926ef13b5d91

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-20	不適切な入力確認	https://cwe.mitre.org/data/definitions/20.html

JVN Vulnerability Information

Chat の Wee Enhanced Environment における SSL chat サーバになりすまされる脆弱性

Title	Chat の Wee Enhanced Environment における SSL chat サーバになりすまされる脆弱性
Summary	Chat の Wee Enhanced Environment は、X.509 証明書の件名のドメイン名を照合するサーバホスト名を検証しないため、SSL chat サーバになりすまされる脆弱性が存在します。本脆弱性は、GnuTLS API の不正使用に関連します。
Possible impacts	中間者攻撃 (man-in-the-middle attack) により、任意の証明書を介して、SSL chat サーバになりすまされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 16, 2011, midnight
Registration Date	March 27, 2012, 6:43 p.m.
Last Update	March 27, 2012, 6:43 p.m.

Affected System

FlashTux

WeeChat 0.3.4 およびそれ以前

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2011-1428	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1428
National Vulnerability Database (NVD)
2	CVE-2011-1428	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1428

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

ベンダー情報

No	Name	URL
FlashTux
1	c265cad1c95b84abfd4e8d861f25926ef13b5d91	http://git.savannah.gnu.org/gitweb/?p=weechat.git;a=commit;h=c265cad1c95b84abfd4e8d861f25926ef13b5d91
2	patch #7459	http://savannah.nongnu.org/patch/index.php?7459

Change Log

No	Changed Details	Date of change
0	[2012年03月27日] 掲載	Feb. 17, 2018, 10:37 a.m.

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:flashtux:weechat:0.2.3:::::::*
cpe:2.3:a:flashtux:weechat:0.2.6.3:::::::*
cpe:2.3:a:flashtux:weechat:0.0.4:::::::*
cpe:2.3:a:flashtux:weechat:0.2.6.1:::::::*
cpe:2.3:a:flashtux:weechat:0.1.8:::::::*
cpe:2.3:a:flashtux:weechat:0.3.1:::::::*
cpe:2.3:a:flashtux:weechat:0.1.0:::::::*
cpe:2.3:a:flashtux:weechat:0.0.2:::::::*
cpe:2.3:a:flashtux:weechat:0.3.2:::::::*
cpe:2.3:a:flashtux:weechat:0.1.7:::::::*
cpe:2.3:a:flashtux:weechat:0.1.1:::::::*
cpe:2.3:a:flashtux:weechat:0.1.3:::::::*
cpe:2.3:a:flashtux:weechat:0.0.7:::::::*
cpe:2.3:a:flashtux:weechat:0.0.5:::::::*
cpe:2.3:a:flashtux:weechat:0.1.9:::::::*
cpe:2.3:a:flashtux:weechat:0.2.6:::::::*
cpe:2.3:a:flashtux:weechat:0.3.0:::::::*
cpe:2.3:a:flashtux:weechat:0.1.5:::::::*
cpe:2.3:a:flashtux:weechat:0.1.6:::::::*
cpe:2.3:a:flashtux:weechat:0.2.6.2:::::::*
cpe:2.3:a:flashtux:weechat:0.1.4:::::::*
cpe:2.3:a:flashtux:weechat:0.0.8:::::::*
cpe:2.3:a:flashtux:weechat:0.2.1:::::::*
cpe:2.3:a:flashtux:weechat:0.0.1:::::::*
cpe:2.3:a:flashtux:weechat:0.3.1.1:::::::*
cpe:2.3:a:flashtux:weechat:0.2.0:::::::*
cpe:2.3:a:flashtux:weechat:0.0.9:::::::*
cpe:2.3:a:flashtux:weechat:0.0.6:::::::*
cpe:2.3:a:flashtux:weechat:0.2.2:::::::*
cpe:2.3:a:flashtux:weechat:0.1.2:::::::*
cpe:2.3:a:flashtux:weechat:0.0.3:::::::*
cpe:2.3:a:flashtux:weechat:0.3.3:::::::*
cpe:2.3:a:flashtux:weechat::::::::		0.3.4
cpe:2.3:a:flashtux:weechat:0.2.5:::::::*
cpe:2.3:a:flashtux:weechat:0.2.4:::::::*