CVE-2016-10376
Summary
| CVE | CVE-2016-10376 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2017-05-28 00:29:00 UTC |
| Updated | 2017-11-06 02:29:00 UTC |
| Description | Gajim through 0.16.7 unconditionally implements the "XEP-0146: Remote Controlling Clients" extension. This can be abused by malicious XMPP servers to, for example, extract plaintext from OTR encrypted sessions. |
Risk And Classification
Problem Types: CWE-310
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Add config option to activate XEP-0146 commands (cb65cfc5) · Commits · gajim / gajim · GitLab | MISC | dev.gajim.org | Patch, Vendor Advisory |
| #863445 - gajim: CVE-2016-10376: possible to remote extract plain-text from encrypted sessions - Debian Bug report logs | MISC | bugs.debian.org | Third Party Advisory |
| Gajim: Information disclosure (GLSA 201707-14) — Gentoo security | GENTOO | security.gentoo.org | |
| [Standards] Depreciating XEP-0146: Remote Controlling Clients | MISC | mail.jabber.org | Mailing List, Third Party Advisory |
| Debian -- Security Information -- DSA-3943-1 gajim | DEBIAN | www.debian.org | |
| XEP-0146 makes it possible to extract plain-text from OTR sessions (#8378) · Issues · gajim / gajim · GitLab | MISC | dev.gajim.org | Patch, Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 710534 Gentoo Linux Gajim Information disclosure Vulnerability (GLSA 201707-14)