Paragon Initiative Enterprises: Using plain git protocol (vulnerable to MITM)

ID H1:181214
Type hackerone
Reporter e3amn2l
Modified 2016-11-09T23:47:38


Using plain git protocol (git://domain) is insecure as the server is not verified (MITM attacker can return different content if last commit not checked against known one) more information about this issue (Protocols to choose from when cloning): vcs-field-uses-insecure-uri check details:

in: - git clone git://

fix: 1. use https protocol instead of git. (https:// vs git://) 2. implement verification of last commit/tag if possible (known commit/tag is fetched instead of master), more details about possible implementations in report: "Missing GIT tag/commit verification in Docker"