CVE-2020-15604 — Improper Certificate Validation in Antivirus + 2019

CWE-295 — Improper Certificate Validation CWE-494 — Download of Code Without Integrity Check4 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 53.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Trendmicro Antivirus + 2019 Trendmicro Internet Security 2019 Trendmicro Maximum Security 2019 +3 more

Timeline

PublishedSep 24

Latest updateMay 24

Description

An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CWE-494: Update files are not properly verified.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

▶NVDtrendmicro/maximum_security_201915.0

▶NVDtrendmicro/premium_security_201915.0

▶NVDtrendmicro/internet_security_201915.0

▶NVDtrendmicro/antivirus_+_201915.0

▶CVEListV5trend_micro/trend_micro_security2019 (v15)

🔴Vulnerability Details

GHSA

GHSA-h6wp-6m5m-gc8m: An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an atta↗2022-05-24

▶

CVEList

CVE-2020-15604: An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an atta↗2020-09-24

▶