Upstream information

CVE-2017-5593 at MITRE

Description

An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for Psi+ (0.16.563.580 - 0.16.571.627).

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having important severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 4.3
Vector AV:N/AC:M/Au:N/C:N/I:P/A:N
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact None
Integrity Impact Partial
Availability Impact None
CVSS v3 Scores
  National Vulnerability Database
Base Score 5.9
Vector CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Access Vector Network
Access Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Impact None
Integrity Impact High
Availability Impact None
CVSSv3 Version 3
SUSE Bugzilla entry: 1024687 [RESOLVED / FIXED]

No SUSE Security Announcements cross referenced.

List of released packages

Product(s) Fixed package version(s) References
openSUSE Tumbleweed
  • psi+ >= 1.5.1548+0-2.3
  • psi+-data >= 1.5.1548+0-2.3
  • psi+-plugins-attentionplugin >= 1.5.1548+0-2.3
  • psi+-plugins-autoreplyplugin >= 1.5.1548+0-2.3
  • psi+-plugins-birthdayreminderplugin >= 1.5.1548+0-2.3
  • psi+-plugins-chessplugin >= 1.5.1548+0-2.3
  • psi+-plugins-cleanerplugin >= 1.5.1548+0-2.3
  • psi+-plugins-clientswitcherplugin >= 1.5.1548+0-2.3
  • psi+-plugins-conferenceloggerplugin >= 1.5.1548+0-2.3
  • psi+-plugins-contentdownloaderplugin >= 1.5.1548+0-2.3
  • psi+-plugins-devel >= 1.5.1548+0-2.3
  • psi+-plugins-enummessagesplugin >= 1.5.1548+0-2.3
  • psi+-plugins-extendedmenuplugin >= 1.5.1548+0-2.3
  • psi+-plugins-extendedoptionsplugin >= 1.5.1548+0-2.3
  • psi+-plugins-gomokugameplugin >= 1.5.1548+0-2.3
  • psi+-plugins-historykeeperplugin >= 1.5.1548+0-2.3
  • psi+-plugins-imageplugin >= 1.5.1548+0-2.3
  • psi+-plugins-imagepreviewplugin >= 1.5.1548+0-2.3
  • psi+-plugins-jabberdiskplugin >= 1.5.1548+0-2.3
  • psi+-plugins-juickplugin >= 1.5.1548+0-2.3
  • psi+-plugins-messagefilterplugin >= 1.5.1548+0-2.3
  • psi+-plugins-omemoplugin >= 1.5.1548+0-2.3
  • psi+-plugins-openpgpplugin >= 1.5.1548+0-2.3
  • psi+-plugins-otrplugin >= 1.5.1548+0-2.3
  • psi+-plugins-pepchangenotifyplugin >= 1.5.1548+0-2.3
  • psi+-plugins-qipxstatusesplugin >= 1.5.1548+0-2.3
  • psi+-plugins-screenshotplugin >= 1.5.1548+0-2.3
  • psi+-plugins-stopspamplugin >= 1.5.1548+0-2.3
  • psi+-plugins-storagenotesplugin >= 1.5.1548+0-2.3
  • psi+-plugins-translateplugin >= 1.5.1548+0-2.3
  • psi+-plugins-videostatusplugin >= 1.5.1548+0-2.3
  • psi+-plugins-watcherplugin >= 1.5.1548+0-2.3
Patchnames:
openSUSE Tumbleweed GA psi+-1.5.1548+0-2.3