Security vulnerabilities

This page lists all known and fixed security vulnerabilities in stable releases.
The security vulnerabilities introduced during development of a version and fixed before a stable release are not mentioned.

WeeChat Security Advisories (WSA) are sent to this mailing list, as soon as they are made public: weechat-security
To report a security issue, please DO NOT file an issue on GitHub, but send an email to security@weechat.org instead.

Overview: 16 vulnerabilities

WSA CVE Score Severity Issue Vulnerability type Scope Versions Fix Release date
WSA-2022-1 CVE-2022-28352 4.3
Possible man-in-the-middle attack in TLS connection to servers. Improper certificate validation IRC, Plugins 3.2 → 3.4 3.4.1
WSA-2021-1 CVE-2021-40516 7.5
Crash on malformed websocket frame in relay plugin. Out-of-bounds read Relay 0.4.1 → 3.2 3.2.1
WSA-2020-3 CVE-2020-9760 7.5
Buffer overflow on new IRC message 005 with nick prefixes. Out-of-bounds write IRC 0.3.4 → 2.7 2.7.1
WSA-2020-2 CVE-2020-9759 7.5
Crash on malformed IRC message 352 (WHO). Out-of-bounds read IRC 0.4.0 → 2.7 2.7.1
WSA-2020-1 CVE-2020-8955 7.5
Buffer overflow on malformed IRC message 324 (channel mode). Out-of-bounds write IRC 0.3.8 → 2.7 2.7.1
WSA-2017-2 CVE-2017-14727 7.5
Use of invalid pointer in build of log filename. Access of uninitialized pointer Logger 0.3.2 → 1.9 1.9.1
WSA-2017-1 CVE-2017-8073 7.5
Buffer overflow when receiving a DCC file. Out-of-bounds write IRC 0.3.3 → 1.7 1.7.1
WSA-2013-3 - 7.5
Crash on IRC commands sent via Relay. Access of uninitialized pointer Relay 0.3.8 → 0.4.0 0.4.1
WSA-2013-2 - 5.5
Crash on send of unknown commands to IRC server. Access of uninitialized pointer IRC 0.3.0 → 0.4.0 0.4.1
WSA-2013-1 - 5.5
Crash on nicks monitored with /notify. Access of uninitialized pointer IRC 0.3.6 → 0.4.0 0.4.1
WSA-2012-2 CVE-2012-5534 10.0
Remote execution of commands via scripts. Improper input validation API 0.3.0 → 0.3.9.1 0.3.9.2
WSA-2012-1 CVE-2012-5854 7.5
Crash when decoding IRC colors. Out-of-bounds write IRC 0.3.6 → 0.3.9 0.3.9.1
WSA-2011-1 CVE-2011-1428 5.3
Possible man-in-the-middle attack in TLS connection to IRC server. Improper certificate validation IRC 0.1.3 → 0.3.4 0.3.5
WSA-2009-1 CVE-2009-0661 7.5
Crash when receiving WeeChat color codes in IRC messages. Out-of-bounds read IRC 0.2.6 0.2.6.1
WSA-2006-1 - 6.2
Crash in API function infobar_printf. Access of uninitialized pointer API 0.0.5 → 0.1.6 0.1.7
WSA-2004-1 - 6.2
Buffer overflows in build of strings. Out-of-bounds write Core, IRC 0.0.1 → 0.0.4 0.0.5

WSA-2022-1: [IRC, Plugins] Possible man-in-the-middle attack in TLS connection to servers.

Vulnerability
CVE
CVE-2022-28352 [ MITRE / NVD ]
CVSS vector
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N (detail)
CVSS score
4.3 / 10
Severity
medium
Vulnerability type
Improper certificate validation (detail)
Scope
IRC, Plugins
Affected versions
3.2 → 3.4
Fixed version
3.4.1 () - ChangeLog
Tracker
Commits
Description
After changing the options weechat.network.gnutls_ca_system or weechat.network.gnutls_ca_user, the TLS verification function is lost.
Consequently, any connection to a server with TLS is made without verifying the certificate, which could lead to a man-in-the-middle attack.
Connection to IRC servers with TLS is affected, as well as any connection a server made by a plugin or a script using the function hook_connect.
Mitigation
After changing options weechat.network.gnutls_ca_system or weechat.network.gnutls_ca_user, you must restart WeeChat.

WSA-2021-1: [Relay] Crash on malformed websocket frame in relay plugin.

Vulnerability
CVE
CVE-2021-40516 [ MITRE / NVD ]
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (detail)
CVSS score
7.5 / 10
Severity
high
Vulnerability type
Out-of-bounds read (detail)
Scope
Relay
Affected versions
0.4.1 → 3.2
Fixed version
3.2.1 () - ChangeLog
Tracker
Not available
Commits
Description
A crash happens when decoding a malformed websocket frame in relay plugin.
This happens even if a password is set in relay plugin, the malformed websocket frame can be received before the authentication of the client.
Mitigation
There are multiple ways to mitigate this issue:
Credit
The issue was discovered by Stuart Nevans Locke.

WSA-2020-3: [IRC] Buffer overflow on new IRC message 005 with nick prefixes.

Vulnerability
CVE
CVE-2020-9760 [ MITRE / NVD ]
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (detail)
CVSS score
7.5 / 10
Severity
high
Vulnerability type
Out-of-bounds write (detail)
Scope
IRC
Affected versions
0.3.4 → 2.7
Fixed version
2.7.1 () - ChangeLog
Tracker
Not available
Commits
Description
A buffer overflow happens when a new IRC message 005 is received with longer nick prefixes.
Note: a "normal" IRC server should not send again a message 005 with new nick prefixes, so the problem should be limited to malicious IRC servers.
Mitigation
There is no known mitigation.
The upgrade to the latest stable version is highly recommended.
Credit
The issue was discovered by Stuart Nevans Locke.

WSA-2020-2: [IRC] Crash on malformed IRC message 352 (WHO).

Vulnerability
CVE
CVE-2020-9759 [ MITRE / NVD ]
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (detail)
CVSS score
7.5 / 10
Severity
high
Vulnerability type
Out-of-bounds read (detail)
Scope
IRC
Affected versions
0.4.0 → 2.7
Fixed version
2.7.1 () - ChangeLog
Tracker
Not available
Commits
Description
Crash when receiving a malformed IRC message 352 (WHO).
Mitigation
With WeeChat ≥ 1.1, you can create a trigger:

/trigger add fix_irc_352 modifier "irc_in_352" "${arguments} =~ .* \*$" "/.*//"

With any older version, there is no simple mitigation, you must upgrade WeeChat.
Credit
The issue was discovered by Stuart Nevans Locke.

WSA-2020-1: [IRC] Buffer overflow on malformed IRC message 324 (channel mode).

Vulnerability
CVE
CVE-2020-8955 [ MITRE / NVD ]
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (detail)
CVSS score
7.5 / 10
Severity
high
Vulnerability type
Out-of-bounds write (detail)
Scope
IRC
Affected versions
0.3.8 → 2.7
Fixed version
2.7.1 () - ChangeLog
Tracker
Not available
Commits
Description
Buffer overflow when receiving a malformed IRC message 324 (channel mode).
Mitigation
There is no known mitigation.
The upgrade to the latest stable version is highly recommended.
Credit
The issue was discovered by Stuart Nevans Locke.

WSA-2017-2: [Logger] Use of invalid pointer in build of log filename.

Vulnerability
CVE
CVE-2017-14727 [ MITRE / NVD ]
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (detail)
CVSS score
7.5 / 10
Severity
high
Vulnerability type
Access of uninitialized pointer (detail)
Scope
Logger
Affected versions
0.3.2 → 1.9
Fixed version
1.9.1 () - ChangeLog
Tracker
Not available
Commits
Description
Date/time conversion specifiers are expanded after replacing buffer local variables in name of log files. In some cases, this can lead to an error in function strftime and a crash caused by the use of an uninitialized buffer.
Mitigation
You can unload the logger plugin, thus stopping recording of all buffers: /plugin unload logger.
Credit
The issue was discovered by Joseph Bisch.

WSA-2017-1: [IRC] Buffer overflow when receiving a DCC file.

Vulnerability
CVE
CVE-2017-8073 [ MITRE / NVD ]
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (detail)
CVSS score
7.5 / 10
Severity
high
Vulnerability type
Out-of-bounds write (detail)
Scope
IRC
Affected versions
0.3.3 → 1.7
Fixed version
1.7.1 () - ChangeLog
Tracker
Not available
Commits
Description
Buffer overflow when removing quotes in DCC filename.
Mitigation
With WeeChat ≥ 1.1, you can create a trigger:

/trigger add irc_dcc_quotes modifier "irc_in_privmsg" "${arguments} =~ ^[^ ]+ :${\x01}DCC SEND ${\x22} " "/.*//"

With any older version, there is no simple mitigation, you must upgrade WeeChat.
Credit
The issue was discovered by Tobias Stoeckmann.

WSA-2013-3: [Relay] Crash on IRC commands sent via Relay.

Vulnerability
CVE
Not available
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (detail)
CVSS score
7.5 / 10
Severity
high
Vulnerability type
Access of uninitialized pointer (detail)
Scope
Relay
Affected versions
0.3.8 → 0.4.0
Fixed version
0.4.1 () - ChangeLog
Tracker
Not available
Commits
Description
Strings are built with uncontrolled format when IRC commands are redirected by relay plugin. If the output or redirected command contains formatting chars like "%", this can lead to a crash of WeeChat.
Mitigation
You can remove all relays of type "irc", see /help relay.

WSA-2013-2: [IRC] Crash on send of unknown commands to IRC server.

Vulnerability
CVE
Not available
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (detail)
CVSS score
5.5 / 10
Severity
medium
Vulnerability type
Access of uninitialized pointer (detail)
Scope
IRC
Affected versions
0.3.0 → 0.4.0
Fixed version
0.4.1 () - ChangeLog
Tracker
Not available
Commits
Description
Strings are built with uncontrolled format when unknown IRC commands are sent to server, if option irc.network.send_unknown_commands is enabled.
Mitigation
There are multiple ways to mitigate this issue:

WSA-2013-1: [IRC] Crash on nicks monitored with /notify.

Vulnerability
CVE
Not available
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (detail)
CVSS score
5.5 / 10
Severity
medium
Vulnerability type
Access of uninitialized pointer (detail)
Scope
IRC
Affected versions
0.3.6 → 0.4.0
Fixed version
0.4.1 () - ChangeLog
Tracker
Not available
Commits
Description
Strings are built with uncontrolled format when nicks containing "%" are monitored with command /notify.
Mitigation
Do not use command /notify with nicks containing formatting chars like "%".

WSA-2012-2: [API] Remote execution of commands via scripts.

Vulnerability
CVE
CVE-2012-5534 [ MITRE / NVD ]
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (detail)
CVSS score
10.0 / 10
Severity
critical
Vulnerability type
Improper input validation (detail)
Scope
API
Affected versions
0.3.0 → 0.3.9.1
Fixed version
0.3.9.2 () - ChangeLog
Tracker
Commits
Description
Untrusted command for function hook_process could lead to execution of commands, because of shell expansions (so the problem is only caused by some scripts, not by WeeChat itself).
Mitigation
Remove/unload all scripts calling the API function hook_process.

WSA-2012-1: [IRC] Crash when decoding IRC colors.

Vulnerability
CVE
CVE-2012-5854 [ MITRE / NVD ]
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (detail)
CVSS score
7.5 / 10
Severity
high
Vulnerability type
Out-of-bounds write (detail)
Scope
IRC
Affected versions
0.3.6 → 0.3.9
Fixed version
0.3.9.1 () - ChangeLog
Tracker
Commits
Description
A buffer overflow happens when decoding some IRC colors in strings.
Mitigation
Turn of handling of colors in incoming IRC messages:

/set irc.network.colors_receive off


WSA-2011-1: [IRC] Possible man-in-the-middle attack in TLS connection to IRC server.

Vulnerability
CVE
CVE-2011-1428 [ MITRE / NVD ]
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (detail)
CVSS score
5.3 / 10
Severity
medium
Vulnerability type
Improper certificate validation (detail)
Scope
IRC
Affected versions
0.1.3 → 0.3.4
Fixed version
0.3.5 () - ChangeLog
Tracker
Commits
Description
Due to insufficient check of TLS certificate in IRC plugin, man-in-the-middle attackers can spoof a server via an arbitrary certificate.
Mitigation
There is no known mitigation.
The upgrade to the latest stable version is highly recommended.

WSA-2009-1: [IRC] Crash when receiving WeeChat color codes in IRC messages.

Vulnerability
CVE
CVE-2009-0661 [ MITRE / NVD ]
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (detail)
CVSS score
7.5 / 10
Severity
high
Vulnerability type
Out-of-bounds read (detail)
Scope
IRC
Affected versions
0.2.6
Fixed version
0.2.6.1 () - ChangeLog
Tracker
Commits
Description
A crash happens when receiving some WeeChat internal color codes in IRC messages.
Mitigation
There is no known mitigation.
The upgrade to the latest stable version is highly recommended.

WSA-2006-1: [API] Crash in API function infobar_printf.

Vulnerability
CVE
Not available
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (detail)
CVSS score
6.2 / 10
Severity
medium
Vulnerability type
Access of uninitialized pointer (detail)
Scope
API
Affected versions
0.0.5 → 0.1.6
Fixed version
0.1.7 () - ChangeLog
Tracker
Not available
Description
Strings are built with uncontrolled format in API function infobar_printf.
Mitigation
Remove/unload all scripts calling the API function infobar_printf.

WSA-2004-1: [Core, IRC] Buffer overflows in build of strings.

Vulnerability
CVE
Not available
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (detail)
CVSS score
6.2 / 10
Severity
medium
Vulnerability type
Out-of-bounds write (detail)
Scope
Core, IRC
Affected versions
0.0.1 → 0.0.4
Fixed version
0.0.5 () - ChangeLog
Tracker
Not available
Commits
Description
A buffer overflows happens in build of strings in different places.
Mitigation
There is no known mitigation.
The upgrade to the latest stable version is highly recommended.