CVE-2017-5589 Yaxim CVE debrief

Who should care

Organizations or individuals using yaxim or Bruno on Android, especially versions 0.8.6 through 0.8.8, should care because the flaw can mislead users by spoofing the apparent sender of messages.

Technical summary

The vulnerability is described as an incorrect implementation of XEP-0280 (Message Carbons) in multiple XMPP clients. NVD lists yaxim and Bruno on Android 0.8.6, 0.8.7, and 0.8.8 as affected. The impact is integrity-related display spoofing: a remote attacker can impersonate users in the application’s UI, enabling convincing social-engineering attacks. The CVSS vector provided by NVD is CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N.

Defensive priority

Medium. The issue is network-reachable and can affect trust in message identity, but the documented impact is limited to impersonation in the client display rather than direct code execution or data theft.

Recommended defensive actions

• Upgrade yaxim or Bruno to a version that includes the upstream fix referenced by the project commit.
• If immediate upgrading is not possible, treat sender identity in affected clients with extra caution and verify sensitive requests through an independent channel.
• Review deployments for Android devices running yaxim or Bruno 0.8.6 through 0.8.8 and prioritize them for remediation.
• Use the NVD record and the linked upstream patch reference to confirm the corrected build or release in your environment.

Evidence notes

The NVD CVE record states the issue is an incorrect implementation of XEP-0280: Message Carbons and lists affected CPEs for yaxim and Bruno versions 0.8.6, 0.8.7, and 0.8.8 on Android. The record also references an upstream GitHub patch commit and a third-party technical advisory that discuss the flaw. Published date used here is 2017-02-09, per the supplied CVE timeline.

Official resources