Lucene search

GitHub Advisory DatabaseGHSA-H6X7-R5RG-X5FW

HistoryMar 28, 2024 - 5:53 p.m.

Serverpod client accepts any certificate

2024-03-2817:53:26

CWE-295

GitHub Advisory Database

github.com

serverpod

client

tsl

certificate

vulnerability

encryption

traffic

man in the middle

attack

device

server

patch

upgrade

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

6.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

This bug bypassed the validation of TSL certificates on all none web HTTP clients in the serverpod_client package. Making them susceptible to a man in the middle attack against encrypted traffic between the client device and the server.

An attacker would need to be able to intercept the traffic and highjack the connection to the server for this vulnerability to be used.

Impact

All versions of serverpod_client pre 1.2.6

Patches

Upgrading to version 1.2.6 resolves this issue.

Affected configurations

Vulners

Node

github_advisory_databaseserverpod_clientRange<1.2.6

CPENameOperatorVersion
serverpod_clientlt1.2.6

CPE	Name	Operator	Version
	serverpod_client	lt	1.2.6

References

github.com/advisories/GHSA-h6x7-r5rg-x5fw

github.com/serverpod/serverpod/commit/d55bf8d12967fc7955a875cb3e0f9693bd6d2c71

github.com/serverpod/serverpod/security/advisories/GHSA-h6x7-r5rg-x5fw

nvd.nist.gov/vuln/detail/CVE-2024-29887

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

6.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Related for GHSA-H6X7-R5RG-X5FW