Lucene search

GoogleOSV:GHSA-H6X7-R5RG-X5FW

HistoryMar 28, 2024 - 5:53 p.m.

Serverpod client accepts any certificate

2024-03-2817:53:26

Google

osv.dev

serverpod client

tsl certificates

validation

bug

encryption

man in the middle attack

vulnerability

traffic interception

software patch

version 1.2.6

6.7 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

8.7%

JSON

This bug bypassed the validation of TSL certificates on all none web HTTP clients in the serverpod_client package. Making them susceptible to a man in the middle attack against encrypted traffic between the client device and the server.

An attacker would need to be able to intercept the traffic and highjack the connection to the server for this vulnerability to be used.

Impact

All versions of serverpod_client pre 1.2.6

Patches

Upgrading to version 1.2.6 resolves this issue.

CPENameOperatorVersion
serverpod_clienteq1.2.2-rc.1
serverpod_clienteq0.9.12
serverpod_clienteq0.9.20
serverpod_clienteq1.2.0
serverpod_clienteq0.8.5
serverpod_clienteq1.2.0-rc.1
serverpod_clienteq0.9.9
serverpod_clienteq0.8.0
serverpod_clienteq0.9.4
serverpod_clienteq0.9.21

Name	Operator	Version
serverpod_client	eq	1.2.2-rc.1
serverpod_client	eq	0.9.12
serverpod_client	eq	0.9.20
serverpod_client	eq	1.2.0
serverpod_client	eq	0.8.5
serverpod_client	eq	1.2.0-rc.1
serverpod_client	eq	0.9.9
serverpod_client	eq	0.8.0
serverpod_client	eq	0.9.4
serverpod_client	eq	0.9.21

Rows per page:

1-10 of 531

References

github.com/serverpod/serverpod

github.com/serverpod/serverpod/commit/d55bf8d12967fc7955a875cb3e0f9693bd6d2c71

github.com/serverpod/serverpod/security/advisories/GHSA-h6x7-r5rg-x5fw

nvd.nist.gov/vuln/detail/CVE-2024-29887