CVE-2019-3685

CWE-295Improper Certificate Validation6 documents6 sources
Severity
7.7HIGH
EPSS
0.2%
top 60.40%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Open Build Service Open Build ServiceOpensuse Open Build Service
Timeline
PublishedNov 5
Latest updateMay 24

Description

Open Build Service before version 0.165.4 diddn't validate TLS certificates for HTTPS connections with the osc client binary

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages2 packages

CVEListV5open_build_service/open_build_serviceunspecified0.165.4

Patches

Patch: bugzilla.suse.comPatch: bugzilla.suse.com

🔴Vulnerability Details

3
GHSA
GHSA-j9gx-ccw3-w6cf: Open Build Service before version 02022-05-24
CVEList
Missing TLS certificate validation for HTTPS connections in osc2019-11-05
OSV
CVE-2019-3685: Open Build Service before version 02019-11-05

📋Vendor Advisories

1
Debian
CVE-2019-3685: osc - Open Build Service before version 0.165.4 diddn't validate TLS certificates for ...2019

💬Community

1
Bugzilla
CVE-2019-3685 osc: ails to adequately verify TLS certificates allowing for a man in the middle attack2019-08-06
CVE-2019-3685 (HIGH CVSS 7.7) | Open Build Service before version 0 | cvebase.io