PYSEC-2020-97

Vulnerability from pysec - Published: 2020-05-07 21:15 - Updated: 2020-09-21 02:15
VLAI?
Details

In qutebrowser versions less than 1.11.1, reloading a page with certificate errors shows a green URL. After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false, which is not recommended), this could still provide a false sense of security. This has been fixed in 1.11.1 and 1.12.0. All versions of qutebrowser are believed to be affected, though versions before v0.11.x couldn't be tested. Backported patches for older versions (greater than or equal to 1.4.0 and less than or equal to 1.10.2) are available, but no further releases are planned.

Impacted products
Name purl
qutebrowser pkg:pypi/qutebrowser
Aliases
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "qutebrowser",
        "purl": "pkg:pypi/qutebrowser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "19f01bb42d02da539446a52a25bb0c1232b86327"
            },
            {
              "fixed": "4020210b193f77cf1785b21717f6ef7c5de5f0f8"
            },
            {
              "fixed": "a45ca9c788f648d10cccce2af41405bf25ee2948"
            },
            {
              "fixed": "021ab572a319ca3db5907a33a59774f502b3b975"
            },
            {
              "fixed": "d28ed758d077a5bf19ddac4da468f7224114df23"
            },
            {
              "fixed": "6821c236f9ae23adf21d46ce0d56768ac8d0c467"
            },
            {
              "fixed": "9bd1cf585fccdfe8318fff7af793730e74a04db3"
            },
            {
              "fixed": "f5d801251aa5436aff44660c87d7013e29ac5864"
            },
            {
              "fixed": "2281a205c3e70ec20f35ec8fafecee0d5c4f3478"
            },
            {
              "fixed": "1b7946ed14b386a24db050f2d6dba81ba6518755"
            }
          ],
          "repo": "https://github.com/qutebrowser/qutebrowser",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.0.0",
        "0.1.0",
        "0.1.1",
        "0.1.2",
        "0.1.3",
        "0.1.4",
        "0.2.0",
        "0.2.1",
        "0.3.0",
        "0.4.0",
        "0.4.1",
        "0.5.0",
        "0.5.1",
        "0.6.0",
        "0.6.1",
        "0.6.2",
        "0.7.0",
        "0.8.0",
        "0.8.1",
        "0.8.2",
        "0.8.3",
        "0.8.4",
        "0.9.0",
        "0.9.1",
        "0.10.0",
        "0.10.1",
        "0.11.0",
        "0.11.1",
        "1.0.0",
        "1.0.1",
        "1.0.2",
        "1.0.3",
        "1.0.4",
        "1.1.0",
        "1.1.1",
        "1.1.2",
        "1.2.0",
        "1.2.1",
        "1.3.0",
        "1.3.1",
        "1.3.2",
        "1.3.3",
        "1.4.0",
        "1.4.1",
        "1.4.2",
        "1.5.0",
        "1.5.1",
        "1.5.2",
        "1.6.0",
        "1.6.1",
        "1.6.2",
        "1.6.3",
        "1.7.0",
        "1.8.0",
        "1.8.1",
        "1.8.2",
        "1.8.3",
        "1.9.0",
        "1.10.0",
        "1.10.1",
        "1.10.2"
      ]
    }
  ],
  "aliases": [
    "CVE-2020-11054",
    "GHSA-4rcq-jv2f-898j"
  ],
  "details": "In qutebrowser versions less than 1.11.1, reloading a page with certificate errors shows a green URL. After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false, which is not recommended), this could still provide a false sense of security. This has been fixed in 1.11.1 and 1.12.0. All versions of qutebrowser are believed to be affected, though versions before v0.11.x couldn\u0027t be tested. Backported patches for older versions (greater than or equal to 1.4.0 and less than or equal to 1.10.2) are available, but no further releases are planned.",
  "id": "PYSEC-2020-97",
  "modified": "2020-09-21T02:15:00Z",
  "published": "2020-05-07T21:15:00Z",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/qutebrowser/qutebrowser/commit/19f01bb42d02da539446a52a25bb0c1232b86327"
    },
    {
      "type": "FIX",
      "url": "https://github.com/qutebrowser/qutebrowser/commit/4020210b193f77cf1785b21717f6ef7c5de5f0f8"
    },
    {
      "type": "FIX",
      "url": "https://github.com/qutebrowser/qutebrowser/commit/a45ca9c788f648d10cccce2af41405bf25ee2948"
    },
    {
      "type": "FIX",
      "url": "https://github.com/qutebrowser/qutebrowser/commit/021ab572a319ca3db5907a33a59774f502b3b975"
    },
    {
      "type": "FIX",
      "url": "https://github.com/qutebrowser/qutebrowser/commit/d28ed758d077a5bf19ddac4da468f7224114df23"
    },
    {
      "type": "FIX",
      "url": "https://github.com/qutebrowser/qutebrowser/commit/6821c236f9ae23adf21d46ce0d56768ac8d0c467"
    },
    {
      "type": "FIX",
      "url": "https://github.com/qutebrowser/qutebrowser/commit/9bd1cf585fccdfe8318fff7af793730e74a04db3"
    },
    {
      "type": "WEB",
      "url": "https://tracker.die-offenbachs.homelinux.org/eric/issue328"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j"
    },
    {
      "type": "FIX",
      "url": "https://github.com/qutebrowser/qutebrowser/commit/f5d801251aa5436aff44660c87d7013e29ac5864"
    },
    {
      "type": "FIX",
      "url": "https://github.com/qutebrowser/qutebrowser/commit/2281a205c3e70ec20f35ec8fafecee0d5c4f3478"
    },
    {
      "type": "WEB",
      "url": "https://bugs.kde.org/show_bug.cgi?id=420902"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/qutebrowser/qutebrowser/issues/5403"
    },
    {
      "type": "FIX",
      "url": "https://github.com/qutebrowser/qutebrowser/commit/1b7946ed14b386a24db050f2d6dba81ba6518755"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7YWJ5QNHXKTGG5NLV7EGEOKPBVZBA5GS/"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MKAZOOTJ2MBHTYVYQQ52NL53F5CB2XAP/"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.