Title: Java: CWE-273 Unsafe certificate trust · Issue #102 · github/securitylab · GitHub
Open Graph Title: Java: CWE-273 Unsafe certificate trust · Issue #102 · github/securitylab
X Title: Java: CWE-273 Unsafe certificate trust · Issue #102 · github/securitylab
Description: CVE ID(s) List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database. Report Describe the vulnerability. Provide any information you think will help GitHub assess the imp...
Open Graph Description: CVE ID(s) List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database. Report Describe the vulnerability. Provide any information y...
X Description: CVE ID(s) List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database. Report Describe the vulnerability. Provide any information y...
Opengraph URL: https://github.com/github/securitylab/issues/102
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Java: CWE-273 Unsafe certificate trust","articleBody":"## CVE ID(s)\r\n\r\n*List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the [GitHub Advisory Database](https://github.com/advisories).*\r\n\r\n## Report\r\n\r\n*Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.*\r\n\r\nThe query checks a very common issue with web development - certificate trust manager is set to trust all certificates or the hostname verifier is turned off. \r\n\r\nJava offers two mechanisms for SSL authentication - trust manager and hostname verifier. Trust manager validates the peer's certificate chain while hostname verification establishes that the hostname in the URL matches the hostname in the server's identification.\r\n\r\nUnsafe implementation of the interface X509TrustManager and HostnameVerifier ignores all SSL certificate validation errors when establishing an HTTPS connection, thereby making the app vulnerable to man-in-the-middle attacks.\r\n\r\nI've tested it against some GitHub projects, and a test case has been created to facilitate auto-testing. The relevant PR is [PR #3550](https://github.com/github/codeql/pull/3550).\r\n\r\n- [Yes] Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). *We would love to have you spread the word about the good work you are doing*","author":{"url":"https://github.com/luchua-bc","@type":"Person","name":"luchua-bc"},"datePublished":"2020-05-24T16:55:59.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":2},"url":"https://github.com/102/securitylab/issues/102"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:ee1119ec-8dc2-438b-550f-a64d24bbb31a |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | E8F6:150C3:1CD9D3:2710F9:6A4C6B2C |
| html-safe-nonce | c48eb919667329d8aecda1387b0b52c45aa224ba9610611aa7e9a7464c964fe6 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJFOEY2OjE1MEMzOjFDRDlEMzoyNzEwRjk6NkE0QzZCMkMiLCJ2aXNpdG9yX2lkIjoiMzUxNjUzNjAzMDUwODExNjc4MCIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | 063230f0bc3218471c142f0f5120a22416c44673906c92fab5ff3e57ea831841 |
| hovercard-subject-tag | issue:623902648 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/github/securitylab/102/issue_layout |
| twitter:image | https://opengraph.githubassets.com/2f1391843a0581d80c0696d5c509a03c8c030b53184296fbc1dd8b69c053c945/github/securitylab/issues/102 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/2f1391843a0581d80c0696d5c509a03c8c030b53184296fbc1dd8b69c053c945/github/securitylab/issues/102 |
| og:image:alt | CVE ID(s) List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database. Report Describe the vulnerability. Provide any information y... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | luchua-bc |
| hostname | github.com |
| expected-hostname | github.com |
| None | 3d11bb817438277de2a940854450e83a7d32b6aeb5014e9e6b00a6423900251c |
| turbo-cache-control | no-preview |
| go-import | github.com/github/securitylab git https://github.com/github/securitylab.git |
| octolytics-dimension-user_id | 9919 |
| octolytics-dimension-user_login | github |
| octolytics-dimension-repository_id | 221101274 |
| octolytics-dimension-repository_nwo | github/securitylab |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 221101274 |
| octolytics-dimension-repository_network_root_nwo | github/securitylab |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 14099438da5379150f15a2892474c7c7e6c0e55e |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width