CVE-2021-36377 — Improper Certificate Validation in Fossil

Severity

7.5HIGHNVD

EPSS

0.1%

top 71.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Timeline

PublishedJul 12

Latest updateMay 24

Description

Fossil before 2.14.2 and 2.15.x before 2.15.2 often skips the hostname check during TLS certificate validation.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

▶NVDfossil-scm/fossil2.15.0 — 2.15.2+1

▶Debianfossil-scm/fossil< 1:2.15.2-1+2

Also affects: Fedora 34

GHSA

GHSA-4cqm-xv6v-78c5: Fossil before 2↗2022-05-24

▶

CVEList

CVE-2021-36377: Fossil before 2↗2021-07-12

▶

OSV

CVE-2021-36377: Fossil before 2↗2021-07-12

▶

Debian

CVE-2021-36377: fossil - Fossil before 2.14.2 and 2.15.x before 2.15.2 often skips the hostname check dur...↗2021

▶