Pidgin 'Libpurple' Cipher API Information Disclosure Vulnerability (Windows) Network Vulnerability

Summary

This host is installed with Pidgin and is prone to information disclosure vulnerability.

Impact

Successful exploitation will allow attacker to gain sensitive information. Impact Level: Application

Solution

Upgrade to Pidgin version 2.7.10 or later, For updates refer to http://pidgin.im/download

Insight

The flaw is due to the 'md5_uninit()', 'md4_uninit()', 'des_uninit()', 'des3_uninit()', 'rc4_uninit()', and 'purple_cipher_context_destroy()' functions in libpurple/cipher.c not properly clearing certain sensitive structures, which can lead to potentially sensitive information disclosure remaining in memory.

Affected

Pidgin version prior 2.7.10 on Windows

References

http://openwall.com/lists/oss-security/2012/01/04/13
http://osvdb.org/show/osvdb/72798
http://secunia.com/advisories/43271/
http://www.pidgin.im/news/security/?id=50

Updated on 2015-03-25

Severity

Classification

CVE CVE-2011-4922

CVSS	Base Score: 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N

Related Vulnerabilities

Create System Characteristics for NIST Windows OVAL Definitions
HTTP-Version Detection
GraphicsMagick Version Detection (Linux)
Free Download Manager Version Detection
Amarok Player Version Detection (Linux)

Take action and discover your vulnerabilities