GHSA-h6x7-r5rg-x5fw

Suggest an improvement
Source
https://github.com/advisories/GHSA-h6x7-r5rg-x5fw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-h6x7-r5rg-x5fw/GHSA-h6x7-r5rg-x5fw.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-h6x7-r5rg-x5fw
Aliases
Published
2024-03-28T17:53:26Z
Modified
2024-03-28T18:11:48.116606Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Serverpod client accepts any certificate
Details

This bug bypassed the validation of TSL certificates on all none web HTTP clients in the serverpod_client package. Making them susceptible to a man in the middle attack against encrypted traffic between the client device and the server.

An attacker would need to be able to intercept the traffic and highjack the connection to the server for this vulnerability to be used.

Impact

All versions of serverpod_client pre 1.2.6

Patches

Upgrading to version 1.2.6 resolves this issue.

Database specific
{
    "nvd_published_at": "2024-03-27T19:15:49Z",
    "cwe_ids": [
        "CWE-295"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-28T17:53:26Z"
}
References

Affected packages

Pub / serverpod_client

Package

Name
serverpod_client
Purl
pkg:pub/serverpod_client

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.6

Affected versions

0.*

0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.8
0.8.9
0.8.10
0.8.11
0.8.12
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9
0.9.10
0.9.11
0.9.12
0.9.13
0.9.14
0.9.15
0.9.16
0.9.17
0.9.18
0.9.19
0.9.20
0.9.21
0.9.22

1.*

1.0.0
1.0.1
1.1.0
1.1.1
1.2.0-rc.1
1.2.0-rc.2
1.2.0-rc.3
1.2.0-rc.4
1.2.0
1.2.1-rc.1
1.2.1-rc.2
1.2.1-rc.3
1.2.1
1.2.2-rc.1
1.2.2
1.2.3
1.2.4
1.2.5