Vulnerability Details CVE-2016-7143
The m_authenticate function in modules/m_sasl.c in Charybdis before 3.5.3 allows remote attackers to spoof certificate fingerprints and consequently log in as another user via a crafted AUTHENTICATE parameter.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.01
EPSS Ranking 76.1%
CVSS Severity
CVSS v3 Score 8.1
CVSS v2 Score 6.8
References
- http://www.debian.org/security/2016/dsa-3661
- http://www.openwall.com/lists/oss-security/2016/09/04/3
- http://www.openwall.com/lists/oss-security/2016/09/05/8
- http://www.securityfocus.com/bid/92761
- https://github.com/charybdis-ircd/charybdis/blob/charybdis-3.5.3/NEWS.md
- https://github.com/charybdis-ircd/charybdis/commit/818a3fda944b26d4814132cee14cfda4ea4aa824
- http://www.debian.org/security/2016/dsa-3661
- http://www.openwall.com/lists/oss-security/2016/09/04/3
- http://www.openwall.com/lists/oss-security/2016/09/05/8
- http://www.securityfocus.com/bid/92761
- https://github.com/charybdis-ircd/charybdis/blob/charybdis-3.5.3/NEWS.md
- https://github.com/charybdis-ircd/charybdis/commit/818a3fda944b26d4814132cee14cfda4ea4aa824
Products affected by CVE-2016-7143
-
cpe:2.3:a:charybdis_project:charybdis:3.4.0
-
cpe:2.3:a:charybdis_project:charybdis:3.4.1
-
cpe:2.3:a:charybdis_project:charybdis:3.4.2
-
cpe:2.3:a:charybdis_project:charybdis:3.5.0
-
cpe:2.3:a:charybdis_project:charybdis:3.5.1
-
cpe:2.3:a:charybdis_project:charybdis:3.5.2
-
cpe:2.3:o:debian:debian_linux:8.0