Headline

GHSA-779w-xvpm-78jx: twitch-tui's connection is not encrypted

Summary

The connection is not using TLS for communication

Details

In the configuration of the irc connection, you are disabling tls which makes all communication to twitch irc servers unencrypted.

PoC

You can verify by using tcpdump/wireshark that traffic is unencrypted.

Impact

Communication can be sniffed, even auth tokens.

1 year ago

ghsa

Open in Source

#git #auth #ssl

Package

cargo twitch-tui (Rust)

Affected versions

< 2.4.1

Patched versions

2.4.1

Description

Summary

The connection is not using TLS for communication

Details

In the configuration of the irc connection, you are disabling tls which makes all communication to twitch irc servers unencrypted.

PoC

You can verify by using tcpdump/wireshark that traffic is unencrypted.

Impact

Communication can be sniffed, even auth tokens.

References

GHSA-779w-xvpm-78jx
Xithrius/twitch-tui@74d13dd
https://github.com/Xithrius/twitch-tui/blob/340afc3c8c07a83289fe6ef614aa7563c8b70756/src/twitch/connection.rs#L23

Xithrius published to Xithrius/twitch-tui

Jul 29, 2023

Published to the GitHub Advisory Database

Jul 31, 2023

Reviewed

Jul 31, 2023

ghsa: Latest News

GHSA-8fh4-942r-jf2g: LibreNMS has a Stored XSS ('Cross-site Scripting') in librenms/includes/html/pages/device/services.inc.php

1 day ago

ghsa

GHSA-7q7g-4xm8-89cq: Regular Expression Denial of Service (ReDoS) in @eslint/plugin-kit

1 day ago

ghsa

GHSA-phm4-wf3h-pc3r: Unpatched Remote Code Execution in Gogs

1 day ago

ghsa

GHSA-x645-6pf9-xwxw: LibreNMS has an Authenticated OS Command Injection

1 day ago

ghsa

GHSA-gv4m-f6fx-859x: LibreNMS has a Stored XSS ('Cross-site Scripting') in librenms/includes/html/print-customoid.php

1 day ago

ghsa