Security vulnerabilities in version 2.3

This page lists all known and fixed security vulnerabilities in version 2.3 (back to the list of all versions).

Overview: 4 vulnerabilities

WSA CVE Score Severity Issue Scope Vulnerability type Versions Fix Release date
WSA-2021-1 CVE-2021-40516 7.5
Crash on malformed websocket frame in relay plugin. Relay Out-of-bounds read 0.4.1 → 3.2 3.2.1
WSA-2020-3 CVE-2020-9760 7.5
Buffer overflow on new IRC message 005 with nick prefixes. IRC Out-of-bounds write 0.3.4 → 2.7 2.7.1
WSA-2020-2 CVE-2020-9759 7.5
Crash on malformed IRC message 352 (WHO). IRC Out-of-bounds read 0.4.0 → 2.7 2.7.1
WSA-2020-1 CVE-2020-8955 7.5
Buffer overflow on malformed IRC message 324 (channel mode). IRC Out-of-bounds write 0.3.8 → 2.7 2.7.1

WSA-2021-1: [Relay] Crash on malformed websocket frame in relay plugin.

Vulnerability
CVE
CVE-2021-40516 [ MITRE / NVD ]
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (detail)
CVSS score
7.5 / 10
Severity
high
Vulnerability type
Out-of-bounds read (detail)
Scope
Relay
Affected versions
0.4.1 → 3.2
Fixed version
3.2.1 () - ChangeLog
Tracker
Not available
Commits
Description
A crash happens when decoding a malformed websocket frame in relay plugin.
This happens even if a password is set in relay plugin, the malformed websocket frame can be received before the authentication of the client.
Mitigation
There are multiple ways to mitigate this issue:
Credit
The issue was discovered by Stuart Nevans Locke.

WSA-2020-3: [IRC] Buffer overflow on new IRC message 005 with nick prefixes.

Vulnerability
CVE
CVE-2020-9760 [ MITRE / NVD ]
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (detail)
CVSS score
7.5 / 10
Severity
high
Vulnerability type
Out-of-bounds write (detail)
Scope
IRC
Affected versions
0.3.4 → 2.7
Fixed version
2.7.1 () - ChangeLog
Tracker
Not available
Commits
Description
A buffer overflow happens when a new IRC message 005 is received with longer nick prefixes.
Note: a "normal" IRC server should not send again a message 005 with new nick prefixes, so the problem should be limited to malicious IRC servers.
Mitigation
There is no known mitigation.
The upgrade of WeeChat to the latest stable version is highly recommended.
Credit
The issue was discovered by Stuart Nevans Locke.

WSA-2020-2: [IRC] Crash on malformed IRC message 352 (WHO).

Vulnerability
CVE
CVE-2020-9759 [ MITRE / NVD ]
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (detail)
CVSS score
7.5 / 10
Severity
high
Vulnerability type
Out-of-bounds read (detail)
Scope
IRC
Affected versions
0.4.0 → 2.7
Fixed version
2.7.1 () - ChangeLog
Tracker
Not available
Commits
Description
Crash when receiving a malformed IRC message 352 (WHO).
Mitigation
With WeeChat ≥ 1.1, you can create a trigger:

/trigger add fix_irc_352 modifier "irc_in_352" "${arguments} =~ .* \*$" "/.*//"

With any older version, there is no simple mitigation, you must upgrade WeeChat.
Credit
The issue was discovered by Stuart Nevans Locke.

WSA-2020-1: [IRC] Buffer overflow on malformed IRC message 324 (channel mode).

Vulnerability
CVE
CVE-2020-8955 [ MITRE / NVD ]
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (detail)
CVSS score
7.5 / 10
Severity
high
Vulnerability type
Out-of-bounds write (detail)
Scope
IRC
Affected versions
0.3.8 → 2.7
Fixed version
2.7.1 () - ChangeLog
Tracker
Not available
Commits
Description
Buffer overflow when receiving a malformed IRC message 324 (channel mode).
Mitigation
There is no known mitigation.
The upgrade of WeeChat to the latest stable version is highly recommended.
Credit
The issue was discovered by Stuart Nevans Locke.