GHSA-GW55-JM4H-X339

Vulnerability from github – Published: 2020-05-08 18:54 – Updated: 2021-10-08 19:56
VLAI?
Summary
Improper Validation of Certificate with Host Mismatch in Java-WebSocket
Details

The Java-WebSocket Client does not perform hostname verification.

  • This means that SSL certificates of other hosts are accepted as long as they are trusted. To exploit this vulnerability an attacker has to perform a man-in-the-middle (MITM) attack between a Java application using the Java-WebSocket Client and an WebSocket server it's connecting to.
  • TLS normally protects users and systems against MITM attacks, it cannot if certificates from other trusted hosts are accepted by the client.

For more information see: CWE-297: Improper Validation of Certificate with Host Mismatch - https://cwe.mitre.org/data/definitions/297.html

Important note

The OWASP Dependency-Check (https://jeremylong.github.io/DependencyCheck/index.html) may report that a dependency of your project is affected by this security vulnerability, but you don't use this lib. This is caused by the fuzzy search in the OWASP implementation. Check out this issue (https://github.com/TooTallNate/Java-WebSocket/issues/1019#issuecomment-628507934) for more information and a way to suppress the warning.

Severity ?
9.0 (Critical)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.4.1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.java-websocket:Java-WebSocket"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-11050"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295",
      "CWE-297"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-05-08T18:54:10Z",
    "nvd_published_at": "2020-05-07T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "The Java-WebSocket Client does not perform hostname verification.\n\n - This means that SSL certificates of other hosts are accepted as long as they are trusted. To exploit this vulnerability an attacker has to perform a man-in-the-middle (MITM) attack between a Java application using the Java-WebSocket Client and an WebSocket server it\u0027s connecting to.\n - TLS normally protects users and systems against MITM attacks, it cannot if certificates from other trusted hosts are accepted by the client.\n\nFor more information see: CWE-297: Improper Validation of Certificate with Host Mismatch - https://cwe.mitre.org/data/definitions/297.html\n\n## Important note\n\nThe OWASP Dependency-Check (https://jeremylong.github.io/DependencyCheck/index.html) may report that a dependency of your project is affected by this security vulnerability, but you don\u0027t use this lib.\nThis is caused by the fuzzy search in the OWASP implementation.\nCheck out this issue (https://github.com/TooTallNate/Java-WebSocket/issues/1019#issuecomment-628507934) for more information and a way to suppress the warning.",
  "id": "GHSA-gw55-jm4h-x339",
  "modified": "2021-10-08T19:56:49Z",
  "published": "2020-05-08T18:54:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/TooTallNate/Java-WebSocket/security/advisories/GHSA-gw55-jm4h-x339"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11050"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/TooTallNate/Java-WebSocket"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Validation of Certificate with Host Mismatch in Java-WebSocket"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.