Lucene search

Veracode Vulnerability DatabaseVERACODE:45245

HistoryJan 31, 2024 - 6:33 a.m.

Improper Certificate Validation

2024-01-3106:33:53

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

meshcentral

vulnerability

certificate validation

https

tls

security weaknesses

cryptographic algorithms

hmac-md5

brute force

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.9

Confidence

High

EPSS

0.001

Percentile

22.8%

JSON

meshcentral is vulnerable to Improper Certificate Validation. The vulnerability is due to the disabling of certificate verification in HTTPS connections by setting rejectUnauthorized to false, and utilizing outdated and insecure TLS versions known for security weaknesses; also use of algorithms like HMAC-MD5 that are vulnerable to brute force attacks.

References

github.com/advisories/GHSA-8xw6-9h78-c89j

github.com/tianjk99/Cryptographic-Misuses/blob/main/Bug_MeshCentral.md

github.com/tianjk99/Cryptographic-Misuses/blob/main/CVE-2023-51837.md

github.com/Ylianst/MeshCentral/blob/master/mpsserver.js

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.9

Confidence

High

EPSS

0.001

Percentile

22.8%

JSON

Related for VERACODE:45245