This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Pidgin First view 2010-01-09
Product Pidgin Last view 2018-09-05
Version 2.6.4 Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:pidgin:pidgin

Activity : Overall

Related : CVE

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
  Date Alert Description
9.8 2018-09-05 CVE-2016-1000030

Pidgin version <2.11.0 contains a vulnerability in X.509 Certificates imports specifically due to improper check of return values from gnutls_x509_crt_init() and gnutls_x509_crt_import() that can result in code execution. This attack appear to be exploitable via custom X.509 certificate from another client. This vulnerability appears to have been fixed in 2.11.0.

9.8 2018-07-27 CVE-2017-2640

An out-of-bounds write flaw was found in the way Pidgin before 2.12.0 processed XML content. A malicious remote server could potentially use this flaw to crash Pidgin or execute arbitrary code in the context of the pidgin process.

3.7 2017-01-06 CVE-2016-4323

A directory traversal exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in an overwrite of files. A malicious server or someone with access to the network traffic can provide an invalid filename for a splash image triggering the vulnerability.

3.1 2017-01-06 CVE-2016-2380

An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent to the server could potentially result in an out-of-bounds read. A user could be convinced to enter a particular string which would then get converted incorrectly and could lead to a potential out-of-bounds read.

8.1 2017-01-06 CVE-2016-2378

A buffer overflow vulnerability exists in the handling of the MXIT protocol Pidgin. Specially crafted data sent via the server could potentially result in a buffer overflow, potentially resulting in memory corruption. A malicious server or an unfiltered malicious user can send negative length values to trigger this vulnerability.

8.1 2017-01-06 CVE-2016-2377

A buffer overflow vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent by the server could potentially result in an out-of-bounds write of one byte. A malicious server can send a negative content-length in response to a HTTP request triggering the vulnerability.

8.1 2017-01-06 CVE-2016-2376

A buffer overflow vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in arbitrary code execution. A malicious server or an attacker who intercepts the network traffic can send an invalid size for a packet which will trigger a buffer overflow.

5.3 2017-01-06 CVE-2016-2375

An exploitable out-of-bounds read exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT contact information sent from the server can result in memory disclosure.

8.1 2017-01-06 CVE-2016-2374

An exploitable memory corruption vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT MultiMX message sent via the server can result in an out-of-bounds write leading to memory disclosure and code execution.

5.9 2017-01-06 CVE-2016-2373

A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious server or user can send an invalid mood to trigger this vulnerability.

5.9 2017-01-06 CVE-2016-2372

An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious user, server, or man-in-the-middle attacker can send an invalid size for a file transfer which will trigger an out-of-bounds read vulnerability. This could result in a denial of service or copy data from memory to the file, resulting in an information leak if the file is sent to another user.

8.1 2017-01-06 CVE-2016-2371

An out-of-bounds write vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could cause memory corruption resulting in code execution.

5.9 2017-01-06 CVE-2016-2370

A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in an out-of-bounds read. A malicious server or man-in-the-middle attacker can send invalid data to trigger this vulnerability.

5.9 2017-01-06 CVE-2016-2369

A NULL pointer dereference vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in a denial of service vulnerability. A malicious server can send a packet starting with a NULL byte triggering the vulnerability.

8.1 2017-01-06 CVE-2016-2368

Multiple memory corruption vulnerabilities exist in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could result in multiple buffer overflows, potentially resulting in code execution or memory disclosure.

5.9 2017-01-06 CVE-2016-2367

An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious user, server, or man-in-the-middle can send an invalid size for an avatar which will trigger an out-of-bounds read vulnerability. This could result in a denial of service or copy data from memory to the file, resulting in an information leak if the avatar is sent to another user.

5.9 2017-01-06 CVE-2016-2366

A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious server or an attacker who intercepts the network traffic can send invalid data to trigger this vulnerability and cause a crash.

5.9 2017-01-06 CVE-2016-2365

A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in a null pointer dereference. A malicious server or an attacker who intercepts the network traffic can send invalid data to trigger this vulnerability and cause a crash.

5 2014-10-29 CVE-2014-3698

The jabber_idn_validate function in jutil.c in the Jabber protocol plugin in libpurple in Pidgin before 2.10.10 allows remote attackers to obtain sensitive information from process memory via a crafted XMPP message.

6.4 2014-10-29 CVE-2014-3697

Absolute path traversal vulnerability in the untar_block function in win32/untar.c in Pidgin before 2.10.10 on Windows allows remote attackers to write to arbitrary files via a drive name in a tar archive of a smiley theme.

5 2014-10-29 CVE-2014-3696

nmevent.c in the Novell GroupWise protocol plugin in libpurple in Pidgin before 2.10.10 allows remote servers to cause a denial of service (application crash) via a crafted server message that triggers a large memory allocation.

5 2014-10-29 CVE-2014-3695

markup.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.10 allows remote servers to cause a denial of service (application crash) via a large length value in an emoticon response.

6.4 2014-10-29 CVE-2014-3694

The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5 2014-02-06 CVE-2014-0020

The IRC protocol plugin in libpurple in Pidgin before 2.10.8 does not validate argument counts, which allows remote IRC servers to cause a denial of service (application crash) via a crafted message.

10 2014-02-06 CVE-2013-6490

The SIMPLE protocol functionality in Pidgin before 2.10.8 allows remote attackers to have an unspecified impact via a negative Content-Length header, which triggers a buffer overflow.

CWE : Common Weakness Enumeration

%idName
26% (16) CWE-20 Improper Input Validation
18% (11) CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
13% (8) CWE-125 Out-of-bounds Read
11% (7) CWE-399 Resource Management Errors
9% (6) CWE-200 Information Exposure
4% (3) CWE-189 Numeric Errors
4% (3) CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path ...
3% (2) CWE-787 Out-of-bounds Write
3% (2) CWE-476 NULL Pointer Dereference
1% (1) CWE-310 Cryptographic Issues
1% (1) CWE-295 Certificate Issues
1% (1) CWE-264 Permissions, Privileges, and Access Controls

CAPEC : Common Attack Pattern Enumeration & Classification

id Name
CAPEC-23 File System Function Injection, Content Based
CAPEC-64 Using Slashes and URL Encoding Combined to Bypass Validation Logic
CAPEC-76 Manipulating Input to File System Calls
CAPEC-78 Using Escaped Slashes in Alternate Encoding
CAPEC-79 Using Slashes in Alternate Encoding
CAPEC-139 Relative Path Traversal

Open Source Vulnerability Database (OSVDB)

id Description
77751 Pidgin libpurple/protocols/silc/ops.c silc_channel_message() Function SILC Me...
77750 Pidgin XMPP Protocol Missing Field Video / Voice Chat Stanza Remote DoS
77749 Pidgin libpurple/protocols/oscar/family_feedbag.c Oscar Protocol Buddy Additi...
74921 Pidgin libpurple Yahoo! Plugin libymsg.c Malformed YMSG Message Handling Remo...
74827 Pidgin on Windows gtkutils.c file: URL Arbitrary Program Execution
74826 Pidgin libpurple MSN Protocol Plugin httpconn.c msn_httpconn_parse_data Funct...
74825 Pidgin libpurple IRC Protocol Plugin msgs.c irc_msg_who Function WHO Response...
70162 Pidgin MSN Direct Connection p2pv2 Packet Handling NULL Dereference Remote DoS
68773 Pidgin Multiple Protocol Plugin purple_base64_decode() Function Base64 Encode...
66506 Pidgin libpurple X-Status Message NULL Dereference DoS
64609 Pidgin libpurple slp.c msn_emoticon_msg Function SLP Message Custom Emoticon DoS
62440 Pidgin gtkimhtml.c Excessive Smiley CPU Consumption Remote DoS
62439 Pidgin XMPP Multi-user Chat Room Malformed Nickname Remote DoS
61626 Adium libpurple MSN protocol plugin slp.c Unspecified Memory Corruption
61625 Pidgin libpurple MSN protocol plugin slp.c Unspecified Memory Corruption
61421 Adium MSN Custom Smileys Feature Emoticon Request Traversal Arbitrary File Di...
61420 Pidgin MSN Custom Smileys Feature Emoticon Request Traversal Arbitrary File D...

ExploitDB Exploits

id Description
11203 Pidgin MSN <= 2.6.4 File Download Vulnerability

OpenVAS Exploits

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
id Description
2012-10-19 Name : Pidgin MXit Message Parsing Buffer Overflow Vulnerability (Windows)
File : nvt/gb_pidgin_mxit_msg_parsing_bof_vuln_win.nasl
2012-10-03 Name : Gentoo Security Advisory GLSA 201209-17 (pidgin)
File : nvt/glsa_201209_17.nasl
2012-09-10 Name : Slackware Advisory SSA:2012-195-02 pidgin
File : nvt/esoft_slk_ssa_2012_195_02.nasl
2012-08-30 Name : Fedora Update for pidgin FEDORA-2012-10287
File : nvt/gb_fedora_2012_10287_pidgin_fc17.nasl
2012-08-30 Name : Fedora Update for pidgin FEDORA-2012-8669
File : nvt/gb_fedora_2012_8669_pidgin_fc15.nasl
2012-08-30 Name : Fedora Update for pidgin FEDORA-2012-8687
File : nvt/gb_fedora_2012_8687_pidgin_fc17.nasl
2012-08-17 Name : Pidgin 'Libpurple' Cipher API Information Disclosure Vulnerability (Windows)
File : nvt/gb_pidgin_libpurple_cipher_api_info_disc_vuln_win.nasl
2012-08-10 Name : Debian Security Advisory DSA 2509-1 (pidgin)
File : nvt/deb_2509_1.nasl
2012-08-10 Name : Gentoo Security Advisory GLSA 201206-11 (Pidgin)
File : nvt/glsa_201206_11.nasl
2012-08-03 Name : Mandriva Update for pidgin MDVSA-2012:029 (pidgin)
File : nvt/gb_mandriva_MDVSA_2012_029.nasl
2012-08-03 Name : Mandriva Update for pidgin MDVSA-2012:082 (pidgin)
File : nvt/gb_mandriva_MDVSA_2012_082.nasl
2012-07-30 Name : CentOS Update for finch CESA-2011:1371 centos4 x86_64
File : nvt/gb_CESA-2011_1371_finch_centos4_x86_64.nasl
2012-07-30 Name : CentOS Update for finch CESA-2011:1371 centos5 x86_64
File : nvt/gb_CESA-2011_1371_finch_centos5_x86_64.nasl
2012-07-30 Name : CentOS Update for finch CESA-2011:1820 centos4 x86_64
File : nvt/gb_CESA-2011_1820_finch_centos4_x86_64.nasl
2012-07-30 Name : CentOS Update for finch CESA-2011:1820 centos5 x86_64
File : nvt/gb_CESA-2011_1820_finch_centos5_x86_64.nasl
2012-07-30 Name : CentOS Update for finch CESA-2011:1821 centos6
File : nvt/gb_CESA-2011_1821_finch_centos6.nasl
2012-07-30 Name : CentOS Update for finch CESA-2012:1102 centos5
File : nvt/gb_CESA-2012_1102_finch_centos5.nasl
2012-07-30 Name : CentOS Update for finch CESA-2012:1102 centos6
File : nvt/gb_CESA-2012_1102_finch_centos6.nasl
2012-07-23 Name : RedHat Update for pidgin RHSA-2012:1102-01
File : nvt/gb_RHSA-2012_1102-01_pidgin.nasl
2012-07-16 Name : Fedora Update for pidgin FEDORA-2012-10294
File : nvt/gb_fedora_2012_10294_pidgin_fc16.nasl
2012-07-16 Name : Mandriva Update for pidgin MDVSA-2012:105 (pidgin)
File : nvt/gb_mandriva_MDVSA_2012_105.nasl
2012-07-10 Name : Ubuntu Update for pidgin USN-1500-1
File : nvt/gb_ubuntu_USN_1500_1.nasl
2012-07-09 Name : RedHat Update for pidgin RHSA-2011:1821-01
File : nvt/gb_RHSA-2011_1821-01_pidgin.nasl
2012-07-04 Name : Pidgin MSN and XMPP Denial of Service Vulnerabilities (Windows)
File : nvt/gb_pidgin_msn_n_xmpp_dos_vuln_win.nasl
2012-06-11 Name : Fedora Update for pidgin FEDORA-2012-8686
File : nvt/gb_fedora_2012_8686_pidgin_fc16.nasl

Snort® IPS/IDS

Date Description
2016-12-29 Pidgin MXIT file transfer length memory disclosure attempt
RuleID : 40876 - Type : SERVER-OTHER - Revision : 2
2016-06-07 Pidgin MXIT message length overflow attempt
RuleID : 39151 - Type : SERVER-OTHER - Revision : 3
2016-06-07 Pidgin MXIT negative message length underflow attempt
RuleID : 39150 - Type : SERVER-OTHER - Revision : 3
2016-05-12 Pidgin mxit_chunk_parse_cr out of bounds read attempt
RuleID : 38870 - Type : SERVER-OTHER - Revision : 3
2016-05-12 Pidgin mxit_chunk_parse_get_avatar out of bounds read attempt
RuleID : 38867 - Type : SERVER-OTHER - Revision : 3
2016-04-21 Pidgin mxit_parse_cmd_suggestcontacts out of bounds read attempt
RuleID : 38583 - Type : SERVER-OTHER - Revision : 3
2016-04-21 Pidgin multimx_message_received out of bounds read attempt
RuleID : 38578 - Type : SERVER-OTHER - Revision : 3
2016-04-19 Pidgin MXIT protocol handling splash_remove directory traversal attempt
RuleID : 38551 - Type : SERVER-OTHER - Revision : 3
2016-04-19 Pidgin MXIT protocol handling splash_remove directory traversal attempt
RuleID : 38550 - Type : SERVER-OTHER - Revision : 3
2016-04-19 Pidgin mxit_parse_cmd_extprofile out of bounds read attempt
RuleID : 38549 - Type : SERVER-OTHER - Revision : 3
2016-04-19 Pidgin MXIT protocol handling null pointer dereference attempt
RuleID : 38548 - Type : SERVER-OTHER - Revision : 3
2016-04-19 Pidgin MXIT table markup command out of bounds read attempt
RuleID : 38547 - Type : SERVER-OTHER - Revision : 3
2016-04-19 Pidgin MXIT table markup command out of bounds read attempt
RuleID : 38546 - Type : SERVER-OTHER - Revision : 3
2016-04-19 Pidgin mxit_update_contact out of bounds read attempt
RuleID : 38545 - Type : SERVER-OTHER - Revision : 3
2016-03-29 Pidgin MXIT is operation null pointer dereference attempt
RuleID : 38345 - Type : SERVER-OTHER - Revision : 3
2016-03-29 Pidgin MXIT is operation null pointer dereference attempt
RuleID : 38344 - Type : SERVER-OTHER - Revision : 3
2015-10-01 TAR archive with absolute path detected
RuleID : 35827 - Type : FILE-OTHER - Revision : 2
2015-10-01 TAR archive with absolute path detected
RuleID : 35826 - Type : FILE-OTHER - Revision : 2
2014-01-10 multiple chat protocols link to local file attempt
RuleID : 28090 - Type : POLICY-SOCIAL - Revision : 3
2014-01-10 multiple chat protocols link to local file attempt
RuleID : 28089 - Type : POLICY-SOCIAL - Revision : 3
2014-01-10 Pidgin MXIT emoticon integer overflow attempt
RuleID : 28088 - Type : POLICY-SOCIAL - Revision : 4

Nessus® Vulnerability Scanner

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
id Description
2017-09-08 Name: The remote EulerOS host is missing multiple security updates.
File: EulerOS_SA-2017-1165.nasl - Type: ACT_GATHER_INFO
2017-09-08 Name: The remote EulerOS host is missing multiple security updates.
File: EulerOS_SA-2017-1166.nasl - Type: ACT_GATHER_INFO
2017-08-25 Name: The remote CentOS host is missing one or more security updates.
File: centos_RHSA-2017-1854.nasl - Type: ACT_GATHER_INFO
2017-08-22 Name: The remote Scientific Linux host is missing one or more security updates.
File: sl_20170801_pidgin_on_SL7_x.nasl - Type: ACT_GATHER_INFO
2017-08-09 Name: The remote Oracle Linux host is missing one or more security updates.
File: oraclelinux_ELSA-2017-1854.nasl - Type: ACT_GATHER_INFO
2017-08-02 Name: The remote Red Hat host is missing one or more security updates.
File: redhat-RHSA-2017-1854.nasl - Type: ACT_GATHER_INFO
2017-07-10 Name: The remote EulerOS host is missing a security update.
File: EulerOS_SA-2017-1131.nasl - Type: ACT_GATHER_INFO
2017-06-07 Name: The remote Gentoo host is missing one or more security-related patches.
File: gentoo_GLSA-201706-10.nasl - Type: ACT_GATHER_INFO
2017-04-12 Name: The remote openSUSE host is missing a security update.
File: openSUSE-2017-457.nasl - Type: ACT_GATHER_INFO
2017-04-05 Name: The remote openSUSE host is missing a security update.
File: openSUSE-2017-431.nasl - Type: ACT_GATHER_INFO
2017-04-03 Name: The remote openSUSE host is missing a security update.
File: openSUSE-2017-410.nasl - Type: ACT_GATHER_INFO
2017-03-24 Name: An instant messaging client installed on the remote host is affected by a rem...
File: pidgin_2_12_0.nasl - Type: ACT_GATHER_INFO
2017-03-16 Name: The remote Slackware host is missing a security update.
File: Slackware_SSA_2017-074-01.nasl - Type: ACT_GATHER_INFO
2017-03-15 Name: The remote Ubuntu host is missing a security-related patch.
File: ubuntu_USN-3231-1.nasl - Type: ACT_GATHER_INFO
2017-03-13 Name: The remote Debian host is missing a security update.
File: debian_DLA-853.nasl - Type: ACT_GATHER_INFO
2017-03-10 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-3806.nasl - Type: ACT_GATHER_INFO
2017-01-17 Name: The remote Gentoo host is missing one or more security-related patches.
File: gentoo_GLSA-201701-38.nasl - Type: ACT_GATHER_INFO
2016-07-18 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-3620.nasl - Type: ACT_GATHER_INFO
2016-07-13 Name: The remote Ubuntu host is missing a security-related patch.
File: ubuntu_USN-3031-1.nasl - Type: ACT_GATHER_INFO
2016-07-05 Name: The remote Debian host is missing a security update.
File: debian_DLA-542.nasl - Type: ACT_GATHER_INFO
2016-06-23 Name: An instant messaging client installed on the remote host is affected by multi...
File: pidgin_2_11_0.nasl - Type: ACT_GATHER_INFO
2015-08-17 Name: The remote Gentoo host is missing one or more security-related patches.
File: gentoo_GLSA-201508-02.nasl - Type: ACT_GATHER_INFO
2015-01-19 Name: The remote Solaris system is missing a security patch for third-party software.
File: solaris11_pidgin_20121009.nasl - Type: ACT_GATHER_INFO
2015-01-19 Name: The remote Solaris system is missing a security patch for third-party software.
File: solaris11_pidgin_20130716.nasl - Type: ACT_GATHER_INFO
2015-01-19 Name: The remote Solaris system is missing a security patch for third-party software.
File: solaris11_pidgin_20140731.nasl - Type: ACT_GATHER_INFO