CVE-2022-28352
First published: Sat Apr 02 2022(Updated: )
WeeChat (aka Wee Enhanced Environment for Chat) 3.2 to 3.4 before 3.4.1 does not properly verify the TLS certificate of the server, after certain GnuTLS options are changed, which allows man-in-the-middle attackers to spoof a TLS chat server via an arbitrary certificate. NOTE: this only affects situations where weechat.network.gnutls_ca_system or weechat.network.gnutls_ca_user is changed without a WeeChat restart.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| WeeChat | >=3.2<3.4.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2022-28352?
CVE-2022-28352 is considered a critical vulnerability due to its potential to allow man-in-the-middle attacks.
How do I fix CVE-2022-28352?
To fix CVE-2022-28352, upgrade WeeChat to version 3.4.1 or later, which properly verifies TLS certificates.
What versions of WeeChat are affected by CVE-2022-28352?
CVE-2022-28352 affects WeeChat versions 3.2 through 3.4 before 3.4.1.
What type of vulnerability is CVE-2022-28352?
CVE-2022-28352 is a TLS certificate verification vulnerability that can be exploited for man-in-the-middle attacks.
Who can be affected by CVE-2022-28352?
Users of WeeChat versions 3.2 to 3.4 prior to 3.4.1 are at risk of being affected by CVE-2022-28352.
- agent/references
- agent/type
- agent/weakness
- agent/author
- agent/softwarecombine
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/weechat
- canonical/weechat
- version/weechat/3.2