Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
archlinuxArchLinuxASA-202108-8
HistoryAug 10, 2021 - 12:00 a.m.

[ASA-202108-8] fossil: certificate verification bypass

2021-08-1000:00:00
security.archlinux.org
105

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

38.7%

JSON

Arch Linux Security Advisory ASA-202108-8

Severity: High
Date : 2021-08-10
CVE-ID : CVE-2021-36377
Package : fossil
Type : certificate verification bypass
Remote : Yes
Link : https://security.archlinux.org/AVG-2146

Summary

The package fossil before version 2.16-1 is vulnerable to certificate
verification bypass.

Resolution

Upgrade to 2.16-1.

pacman -Syu “fossil>=2.16-1”

The problem has been fixed upstream in version 2.16.

Workaround

None.

Description

Fossil before version 2.15.2 often skips the hostname check during TLS
certificate validation.

Impact

A man-in-the-middle attacker could spoof a Fossil repository by
presenting any valid certificate for an arbitrary hostname, leading to
potential information disclosure.

References

https://www.fossil-scm.org/forum/forumpost/8d367e16f53d93c789d70bd3bf2c9587227bbd5c6a7b8e512cccd79007536036
https://www.fossil-scm.org/home/info/aaab2a15d1dfc22f5453c2bad8f25ecf518ed3eef9a7fa6f4c5bd69ab4e4b075
https://security.archlinux.org/CVE-2021-36377

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanyfossil< 2.16-1UNKNOWN

Related

cve 1
debiancve 1
alpinelinux 1
prion 1
nvd 1
ubuntucve 1
openvas 2
fedora 1
mageia 1
cvelist 1
cve
cve
CVE-2021-36377
2021-07-12 13:15:08
debiancve
debiancve
CVE-2021-36377
2021-07-12 13:15:08
alpinelinux
alpinelinux
CVE-2021-36377
2021-07-12 13:15:00
prion
prion
Input validation
2021-07-12 13:15:00
nvd
nvd
CVE-2021-36377
2021-07-12 13:15:08
ubuntucve
ubuntucve
CVE-2021-36377
2021-07-12 00:00:00
openvas
openvas
Fedora: Security Advisory for fossil (FEDORA-2021-8523af7a88)
2021-07-27 00:00:00
Mageia: Security Advisory (MGASA-2021-0491)
2022-01-28 00:00:00
fedora
fedora
[SECURITY] Fedora 34 Update: fossil-2.14.2-1.fc34
2021-07-26 00:42:04
mageia
mageia
Updated fossil packages fix security vulnerability
2021-10-27 15:13:28
cvelist
cvelist
CVE-2021-36377
2021-07-12 12:11:49

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

38.7%

JSON
Related for ASA-202108-8
cve1debiancve1alpinelinux1prion1nvd1ubuntucve1openvas2fedora1mageia1cvelist1