Lucene search

GitHub Advisory DatabaseGHSA-JQQR-C2R2-9CVR

HistoryAug 25, 2021 - 8:42 p.m.

Improper Certificate Validation in security-framework

2021-08-2520:42:59

CWE-295

GitHub Advisory Database

github.com

custom root certificates

clientbuilder

hostname validation

trust evaluation

security-framework

software

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

35.9%

JSON

If custom root certificates were registered with a ClientBuilder, the hostname of the target server would not be validated against its presented leaf certificate. This issue was fixed by properly configuring the trust evaluation logic to perform that check.

Affected configurations

Vulners

Node

securityframeworkRange<0.1.12

VendorProductVersionCPE
securityframework*cpe:2.3:a:security:framework:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
security	framework	*	cpe:2.3:a:security:framework::::::::

References

github.com/advisories/GHSA-jqqr-c2r2-9cvr

github.com/sfackler/rust-security-framework/pull/27

nvd.nist.gov/vuln/detail/CVE-2017-18588

rustsec.org/advisories/RUSTSEC-2017-0003.html

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

35.9%

JSON

Related for GHSA-JQQR-C2R2-9CVR