CVE-2021-39365 — Improper Certificate Validation in Grilo

CWE-295 — Improper Certificate Validation6 documents6 sources

Severity

5.9MEDIUMNVD

OSV7.5

EPSS

0.3%

top 44.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gnome Grilo Debian Grilo Debian Linux

Timeline

PublishedAug 22

Latest updateMay 24

Description

In GNOME grilo though 0.3.13, grl-net-wc.c does not enable TLS certificate verification on the SoupSessionAsync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

▶Debiangnome/grilo< 0.3.13-1+deb11u1+3

▶NVDgnome/grilo0.3.13

▶debiandebian/grilo< grilo 0.3.13-1.1 (bookworm)

Also affects: Debian Linux 10.0, 11.0, 9.0

Patches

Patch: gitlab.gnome.org ↗Patch: gitlab.gnome.org ↗

🔴Vulnerability Details

GHSA

GHSA-jvwp-xr6v-4m4f: In GNOME grilo though 0↗2022-05-24

▶

OSV

CVE-2021-39365: In GNOME grilo though 0↗2021-08-22

▶

📋Vendor Advisories

Ubuntu

GNOME grilo vulnerability↗2021-08-30

▶

Red Hat

grilo: missing TLS certificate verification↗2021-06-21

▶

Debian

CVE-2021-39365: grilo - In GNOME grilo though 0.3.13, grl-net-wc.c does not enable TLS certificate verif...↗2021

▶