Lucene search

GitHub Advisory DatabaseGHSA-JF99-2RJ4-JXRM

HistoryMay 17, 2022 - 4:45 a.m.

Transifex command-line client has improper certificate validation

2022-05-1704:45:17

CWE-20

GitHub Advisory Database

github.com

transifex

cli

certificate validation

security issue

data transfer

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

6.7

Confidence

Low

EPSS

0.001

Percentile

35.2%

JSON

Transifex command-line client before 0.10 does not validate X.509 certificates for data transfer connections, which allows man-in-the-middle attackers to spoof a Transifex server via an arbitrary certificate. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-2073.

Affected configurations

Vulners

Node

transifextransifex-clientRange<0.10

VendorProductVersionCPE
transifextransifex-client*cpe:2.3:a:transifex:transifex-client:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
transifex	transifex-client	*	cpe:2.3:a:transifex:transifex-client::::::::

References

www.openwall.com/lists/oss-security/2013/12/13/5

www.openwall.com/lists/oss-security/2013/12/15/3

github.com/advisories/GHSA-jf99-2rj4-jxrm

github.com/transifex/transifex-client/commit/e0d1f8b38ec1a24e2999d63420554d8393206f58

github.com/transifex/transifex-client/issues/42

nvd.nist.gov/vuln/detail/CVE-2013-7110

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

6.7

Confidence

Low

EPSS

0.001

Percentile

35.2%

JSON

Related for GHSA-JF99-2RJ4-JXRM