You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[mifos-mobile is an] (...) Android Application built on top of the MifosX Self-Service platform for end-user customers to view/transact on the accounts and loans they hold.
Note that the fixed code is written in Kotlin; the app has recently been converted to a Kotlin app and the issue has been found in the semantically equivalent Java version.
Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.
A insecure TrustManager is an implementation of the TrustManager interface, where the checkServerTrusted method trusts any certificate because it never throws a CertificateException.
As the TrustManager trusts any certificate, an attacker can create a self-signed certificate that will be accepted as any certificate is trusted. This leads to a MiTM attack against the connection thereby stealing sensitive secrets such as login data or other tokens is possible.
Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing
CVE ID(s)
List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database.
CVE-2020-26234
(The CVE explicitly talks about hostname verification but at the same time it also had a insecure
TrustManagerimplementation, see here:https://github.com/opencast/opencast/blob/640c5017db13b0c1875b2fe52360f873a074291c/modules/kernel/src/main/java/org/opencastproject/kernel/http/impl/HttpClientImpl.java#L119-L153)
CVE-2020-13955
(The CVE explicitly talks about hostname verification but at the same time it also had a insecure
TrustManagerimplementation, see here:apache/calcite@43eeafc and https://github.com/apache/calcite/blob/3d13846a13398a1ba6c1fa84a7d0c0cc543f23d4/core/src/main/java/org/apache/calcite/runtime/TrustAllSslSocketFactory.java#L50)
CVE-2021-21385 (GHSA-9657-33wf-rmvx)
Note that the fixed code is written in Kotlin; the app has recently been converted to a Kotlin app and the issue has been found in the semantically equivalent Java version.
CVE-2021-32700 (GHSA-f5qg-fqrw-v5ww)
This issue would have allowed a supply-chain-attack/RCE against users of Ballerina via a MitM.
The fix commit is here: ballerina-platform/ballerina-lang@2476dcf#diff-bb49a1821c5dd9c8b726befeabc0a090e449952fd6a876106216685c8946258e
Report
Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.
A insecure
TrustManageris an implementation of theTrustManagerinterface, where thecheckServerTrustedmethod trusts any certificate because it never throws aCertificateException.As the
TrustManagertrusts any certificate, an attacker can create a self-signed certificate that will be accepted as any certificate is trusted. This leads to a MiTM attack against the connection thereby stealing sensitive secrets such as login data or other tokens is possible.Query
github/codeql#4879