Miggo Logo
Miggo Vulnerability Database
CVE-2022-45197

CVE-2022-45197: Slixmpp lacks SSL Certificate hostname validation in XMLStream

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-45197
GHSA ID
GHSA-q6cq-m9gm-6q2f
EPSS Score
0.24104%
CWE
CWE-295
Published
12/25/2022
Updated
10/23/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
slixmpppip< 1.8.31.8.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability explicitly states that SSL certificate hostname validation was missing in XMLStream. The XMLStream component handles connection logic, and TLS setup would occur in a method like _start_tls. The CWE-295 (Improper Certificate Validation) and the advisory's focus on XMLStream strongly indicate the TLS initialization function lacked check_hostname=True in SSL context configuration or equivalent validation. The first patched version (1.8.3) likely added this validation in the TLS setup routine of XMLStream.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Slixmpp ***or* *.*.* l**ks SSL **rti*i**t* *ostn*m* v*li**tion in XMLStr**m, *llowin* *n *tt**k*r to pos* *s *ny s*rv*r in t** *y*s o* Slixmpp.

Reasoning

T** vuln*r**ility *xpli*itly st*t*s t**t SSL **rti*i**t* *ostn*m* v*li**tion w*s missin* in XMLStr**m. T** XMLStr**m *ompon*nt **n*l*s *onn**tion lo*i*, *n* TLS s*tup woul* o**ur in * m*t*o* lik* _st*rt_tls. T** *W*-*** (Improp*r **rti*i**t* V*li**ti