CVE-2017-5591 Poezio CVE debrief

Who should care

Poezio users and deployers, XMPP client maintainers, and security teams responsible for messaging endpoints should review this issue, especially where users rely on displayed sender identity for trust decisions.

Technical summary

The flaw is an incorrect implementation of XEP-0280 Message Carbons. NVD classifies it under CWE-20 and CWE-346 and scores it CVSS 3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N. The practical impact is integrity loss in the chat UI: a remote party can influence what sender identity the client displays, enabling impersonation-style social engineering without affecting confidentiality or availability.

Defensive priority

Medium. The bug does not indicate code execution or data theft, but it can undermine message authenticity and user trust in a communications client, which is high-value in phishing and impersonation scenarios.

Recommended defensive actions

• Upgrade SleekXMPP to a version newer than 1.3.1 and Slixmpp to a version newer than 1.2.3, or use a Poezio release that bundles patched dependencies.
• If you operate Poezio 0.8, 0.8.1, 0.9, or 0.10, verify the bundled XMPP library versions and confirm they are not in the vulnerable ranges.
• Review message-rendering and Message Carbons handling so the client does not present untrusted carboned messages as if they originated from a different user.
• Where immediate upgrading is not possible, reduce reliance on displayed identity cues for sensitive decisions until patched.

Evidence notes

This debrief is based on the supplied NVD record and referenced advisories/patch links. The source corpus states the affected versions (SleekXMPP <= 1.3.1, Slixmpp <= 1.2.3, Poezio 0.8/0.8.1/0.9/0.10), the issue class (incorrect XEP-0280 implementation), the likely impact (impersonation in the display leading to social engineering), and the NVD CVSS/CWE metadata.

Official resources