[Java]: CWE 295 - Insecure TrustManager - MiTM #221
Comments
|
@intrigus-lgtm this relates to github/codeql#3581 right? |
|
And/or github/codeql#4536 ? (If the latter, could you answer my review questions?) |
|
Or even github/codeql#4879 ? |
|
This relates to github/codeql#4879. I just added a link to the query in the issue. I will try to apply your review questions/suggestions from github/codeql#4536 to github/codeql#4879 to the extend that the code in questions still exists. |
|
I now see that there's also #222 -- might be worth commenting briefly about the difference between the two |
|
Hey @intrigus-lgtm I'll take this out of our bounty pipeline for now similarly to #108 |
|
Your submission is now in status Closed. For information, the evaluation workflow is the following: |
|
I'm going to close the issue. Feel free to re-open it when ready. |
|
@JarLob please re-open 🎉 🎉 |
|
Your submission is now in status SecLab finalize. For information, the evaluation workflow is the following: |
|
Your submission is now in status Pay. For information, the evaluation workflow is the following: |
|
Created Hackerone report 1264781 for bounty 317584 : [221] [Java]: CWE 295 - Insecure TrustManager - MiTM |
|
Your submission is now in status Closed. For information, the evaluation workflow is the following: |
CVE ID(s)
List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database.
CVE-2020-26234
(The CVE explicitly talks about hostname verification but at the same time it also had a insecure
TrustManagerimplementation, see here:https://github.com/opencast/opencast/blob/640c5017db13b0c1875b2fe52360f873a074291c/modules/kernel/src/main/java/org/opencastproject/kernel/http/impl/HttpClientImpl.java#L119-L153)
CVE-2020-13955
(The CVE explicitly talks about hostname verification but at the same time it also had a insecure
TrustManagerimplementation, see here:apache/calcite@43eeafc and https://github.com/apache/calcite/blob/3d13846a13398a1ba6c1fa84a7d0c0cc543f23d4/core/src/main/java/org/apache/calcite/runtime/TrustAllSslSocketFactory.java#L50)
CVE-2021-21385 (GHSA-9657-33wf-rmvx)
Note that the fixed code is written in Kotlin; the app has recently been converted to a Kotlin app and the issue has been found in the semantically equivalent Java version.
CVE-2021-32700 (GHSA-f5qg-fqrw-v5ww)
This issue would have allowed a supply-chain-attack/RCE against users of Ballerina via a MitM.
The fix commit is here: ballerina-platform/ballerina-lang@2476dcf#diff-bb49a1821c5dd9c8b726befeabc0a090e449952fd6a876106216685c8946258e
Report
Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.
A insecure
TrustManageris an implementation of theTrustManagerinterface, where thecheckServerTrustedmethod trusts any certificate because it never throws aCertificateException.As the
TrustManagertrusts any certificate, an attacker can create a self-signed certificate that will be accepted as any certificate is trusted. This leads to a MiTM attack against the connection thereby stealing sensitive secrets such as login data or other tokens is possible.Query
github/codeql#4879
The text was updated successfully, but these errors were encountered: