CVE-2021-39360 — Improper Certificate Validation in Libzapojit

CWE-295 — Improper Certificate Validation5 documents5 sources

Severity

5.9MEDIUMNVD

OSV7.5

EPSS

0.5%

top 33.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gnome Libzapojit Fedoraproject Fedora Debian Libzapojit

Timeline

PublishedAug 22

Latest updateMay 24

Description

In GNOME libzapojit through 0.0.3, zpj-skydrive.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

▶NVDgnome/libzapojit0.0.3

▶debiandebian/libzapojit

Also affects: Fedora 33, 34, 35

🔴Vulnerability Details

GHSA

GHSA-3j9h-5r8r-rrxc: In GNOME libzapojit through 0↗2022-05-24

▶

OSV

CVE-2021-39360: In GNOME libzapojit through 0↗2021-08-22

▶

📋Vendor Advisories

Red Hat

libzapojit: missing TLS certificate verification↗2021-08-22

▶

Debian

CVE-2021-39360: libzapojit - In GNOME libzapojit through 0.0.3, zpj-skydrive.c does not enable TLS certificat...↗2021

▶