3.5 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
37.1%
Severity: Low
Date : 2020-05-07
CVE-ID : CVE-2020-11054
Package : qutebrowser
Type : certificate verification bypass
Remote : Yes
Link : https://security.archlinux.org/AVG-1152
The package qutebrowser before version 1.11.1-1 is vulnerable to
certificate verification bypass.
Upgrade to 1.11.1-1.
The problem has been fixed upstream in version 1.11.1.
Treat any host with a certificate exception as insecure, ignoring the
URL color
Or set content.ssl_strict to True (instead of ‘ask’), preventing
certificate exceptions in the configuration
In qutebrowser before version 1.11.1 there is an issue where after a
certificate error was overridden by the user, qutebrowser displays the
URL as yellow (colors.statusbar.url.warn.fg). However, when the
affected website was subsequently loaded again, the URL was mistakenly
displayed as green (colors.statusbar.url.success_https). While the user
already has seen a certificate error prompt at this point (or set
content.ssl_strict to false which is not recommended), this could still
provide a false sense of security.
The user might think the webpage is secure, when in reality it has an
invalid certificate.
https://github.com/qutebrowser/qutebrowser/commit/6821c236f9ae23adf21d46ce0d56768ac8d0c467
https://github.com/qutebrowser/qutebrowser/commit/556fe81b3146e5cd2e77df9d8ce57aebbbd72eac
https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j
https://security.archlinux.org/CVE-2020-11054
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ArchLinux | any | any | qutebrowser | < 1.11.1-1 | UNKNOWN |
github.com/qutebrowser/qutebrowser/commit/556fe81b3146e5cd2e77df9d8ce57aebbbd72eac
github.com/qutebrowser/qutebrowser/commit/6821c236f9ae23adf21d46ce0d56768ac8d0c467
github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j
security.archlinux.org/AVG-1152
security.archlinux.org/CVE-2020-11054
3.5 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
37.1%