CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
38.7%
Severity: High
Date : 2021-08-10
CVE-ID : CVE-2021-36377
Package : fossil
Type : certificate verification bypass
Remote : Yes
Link : https://security.archlinux.org/AVG-2146
The package fossil before version 2.16-1 is vulnerable to certificate
verification bypass.
Upgrade to 2.16-1.
The problem has been fixed upstream in version 2.16.
None.
Fossil before version 2.15.2 often skips the hostname check during TLS
certificate validation.
A man-in-the-middle attacker could spoof a Fossil repository by
presenting any valid certificate for an arbitrary hostname, leading to
potential information disclosure.
https://www.fossil-scm.org/forum/forumpost/8d367e16f53d93c789d70bd3bf2c9587227bbd5c6a7b8e512cccd79007536036
https://www.fossil-scm.org/home/info/aaab2a15d1dfc22f5453c2bad8f25ecf518ed3eef9a7fa6f4c5bd69ab4e4b075
https://security.archlinux.org/CVE-2021-36377
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
38.7%