Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03Nzl3LXh2cG0tNzhqeM4AA0-P
twitch-tui's connection is not encrypted
Summary
The connection is not using TLS for communication
Details
In the configuration of the irc connection, you are disabling tls which makes all communication to twitch irc servers unencrypted.
PoC
You can verify by using tcpdump/wireshark that traffic is unencrypted.
Impact
Communication can be sniffed, even auth tokens.
Permalink: https://github.com/advisories/GHSA-779w-xvpm-78jxJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03Nzl3LXh2cG0tNzhqeM4AA0-P
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-779w-xvpm-78jx, CVE-2023-38688
References:
- https://github.com/Xithrius/twitch-tui/security/advisories/GHSA-779w-xvpm-78jx
- https://github.com/Xithrius/twitch-tui/commit/74d13ddca35f8f0816f4933c229da1fd95c0350a
- https://github.com/Xithrius/twitch-tui/blob/340afc3c8c07a83289fe6ef614aa7563c8b70756/src/twitch/connection.rs#L23
- https://nvd.nist.gov/vuln/detail/CVE-2023-38688
- https://github.com/advisories/GHSA-779w-xvpm-78jx
Blast Radius: 1.0
Affected Packages
cargo:twitch-tui
Dependent packages: 0Dependent repositories: 0
Downloads: 31,320 total
Affected Version Ranges: < 2.4.1
Fixed in: 2.4.1
All affected versions: 1.2.2, 1.2.3, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0
All unaffected versions: 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 2.6.10, 2.6.11, 2.6.12, 2.6.13, 2.6.14, 2.6.15, 2.6.16, 2.6.17