Skip to content

Serverpod client accepts any certificate

High severity GitHub Reviewed Published Mar 27, 2024 in serverpod/serverpod • Updated Mar 28, 2024

Package

pub serverpod_client (Pub)

Affected versions

< 1.2.6

Patched versions

1.2.6

Description

This bug bypassed the validation of TSL certificates on all none web HTTP clients in the serverpod_client package. Making them susceptible to a man in the middle attack against encrypted traffic between the client device and the server.

An attacker would need to be able to intercept the traffic and highjack the connection to the server for this vulnerability to be used.

Impact

All versions of serverpod_client pre 1.2.6

Patches

Upgrading to version 1.2.6 resolves this issue.

References

@SandPod SandPod published to serverpod/serverpod Mar 27, 2024
Published by the National Vulnerability Database Mar 27, 2024
Published to the GitHub Advisory Database Mar 28, 2024
Reviewed Mar 28, 2024
Last updated Mar 28, 2024

Severity

High
7.4
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Weaknesses

CVE ID

CVE-2024-29887

GHSA ID

GHSA-h6x7-r5rg-x5fw

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.