Vulnerabilities > CVE-2013-7449 - Cryptographic Issues vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
LOW Integrity impact
LOW Availability impact
NONE Summary
The ssl_do_connect function in common/server.c in HexChat before 2.10.2, XChat, and XChat-GNOME does not verify that the server hostname matches a domain name in the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 3 | |
Application | 2 | |
Application | 9 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Signature Spoofing by Key Recreation An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
References
- http://hexchat.readthedocs.org/en/latest/changelog.html
- http://hexchat.readthedocs.org/en/latest/changelog.html
- http://www.ubuntu.com/usn/USN-2945-1
- http://www.ubuntu.com/usn/USN-2945-1
- https://bugzilla.redhat.com/show_bug.cgi?id=1081839
- https://bugzilla.redhat.com/show_bug.cgi?id=1081839
- https://github.com/hexchat/hexchat/commit/c9b63f7f9be01692b03fa15275135a4910a7e02d
- https://github.com/hexchat/hexchat/commit/c9b63f7f9be01692b03fa15275135a4910a7e02d
- https://github.com/hexchat/hexchat/issues/524
- https://github.com/hexchat/hexchat/issues/524