Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jMzVnLWpyNWYtaDgzcM4AAQt2
SleekXMPP and Slixmpp Incorrect Implementation of Message Carbons
An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for SleekXMPP up to 1.3.1 and Slixmpp all versions up to 1.2.3, as bundled in poezio (0.8 - 0.10) and other products.
Permalink: https://github.com/advisories/GHSA-c35g-jr5f-h83pJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jMzVnLWpyNWYtaDgzcM4AAQt2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 8 months ago
CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-c35g-jr5f-h83p, CVE-2017-5591
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-5591
- https://github.com/poezio/slixmpp/commit/22664ee7b86c8e010f312b66d12590fb47160ad8
- https://rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons/
- https://rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdf
- http://openwall.com/lists/oss-security/2017/02/09/29
- https://github.com/fritzy/SleekXMPP/issues/442
- https://github.com/fritzy/SleekXMPP/commit/285495d5ee2427d93d961ceedcd1829383e5196d
- https://web.archive.org/web/20200227192025/http://www.securityfocus.com/bid/96166
- https://github.com/advisories/GHSA-c35g-jr5f-h83p
Blast Radius: 17.0
Affected Packages
pypi:SleekXMPP
Dependent packages: 7Dependent repositories: 395
Downloads: 3,905 last month
Affected Version Ranges: <= 1.3.1
Fixed in: 1.3.2
All affected versions: 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.11, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.3.0, 1.3.1
All unaffected versions: 1.3.2, 1.3.3
pypi:slixmpp
Dependent packages: 14Dependent repositories: 770
Downloads: 18,497 last month
Affected Version Ranges: <= 1.2.3
Fixed in: 1.2.4
All affected versions: 1.2.1, 1.2.2, 1.2.3
All unaffected versions: 1.2.4, 1.3.0, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.7.0, 1.7.1, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5