Pidgin 'Libpurple' Cipher API Information Disclosure Vulnerability (Windows) Network Vulnerability

Summary

This host is installed with Pidgin and is prone to information disclosure vulnerability.

Impact

Successful exploitation will allow attacker to gain sensitive information. Impact Level: Application

Solution

Upgrade to Pidgin version 2.7.10 or later, For updates refer to http://pidgin.im/download

Insight

The flaw is due to the 'md5_uninit()', 'md4_uninit()', 'des_uninit()', 'des3_uninit()', 'rc4_uninit()', and 'purple_cipher_context_destroy()' functions in libpurple/cipher.c not properly clearing certain sensitive structures, which can lead to potentially sensitive information disclosure remaining in memory.

Affected

Pidgin version prior 2.7.10 on Windows

References

http://openwall.com/lists/oss-security/2012/01/04/13
http://osvdb.org/show/osvdb/72798
http://secunia.com/advisories/43271/
http://www.pidgin.im/news/security/?id=50

Updated on 2015-03-25

Severity

Classification

CVE CVE-2011-4922
CVSS Base Score: 2.1
AV:L/AC:L/Au:N/C:P/I:N/A:N

Related Vulnerabilities

CuteNews Detection
HTTP TRACE
HTTP Server type and version
CPE-based Policy Check
Becky Internet Mail Version Detection

Take action and discover your vulnerabilities