WeeChat :: documentation

WSA	CVE	Score	Severity	Issue	Vulnerability type	Scope	Versions	Fix	Release date
WSA-2013-2	-	5.5		Crash on send of unknown commands to IRC server.	Access of uninitialized pointer	IRC	0.3.0 → 0.4.0	0.4.1	May 20, 2013

CVE

Not available

CVSS vector

AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (detail)

CVSS score

5.5 / 10

Severity

medium

Vulnerability type

Access of uninitialized pointer (detail)

Scope

IRC

Affected versions

0.3.0 → 0.4.0

Fixed version

0.4.1 (May 20, 2013) - ChangeLog

Tracker

Not available

Commits

Strings are built with uncontrolled format when unknown IRC commands are sent to server, if option irc.network.send_unknown_commands is enabled.

There are multiple ways to mitigate this issue:

Turn off option to send unknown commands: /set irc.network.send_unknown_commands off
Do not use formatting chars like "%" when sending unknown commands to server.