Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1oNng3LXI1cmcteDVmd84AA6aw
Serverpod client accepts any certificate
This bug bypassed the validation of TSL certificates on all none web HTTP clients in the serverpod_client package. Making them susceptible to a man in the middle attack against encrypted traffic between the client device and the server.
An attacker would need to be able to intercept the traffic and highjack the connection to the server for this vulnerability to be used.
Impact
All versions of serverpod_client pre 1.2.6
Patches
Upgrading to version 1.2.6 resolves this issue.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oNng3LXI1cmcteDVmd84AA6aw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 month ago
Updated: about 1 month ago
CVSS Score: 7.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-h6x7-r5rg-x5fw, CVE-2024-29887
References:
- https://github.com/serverpod/serverpod/security/advisories/GHSA-h6x7-r5rg-x5fw
- https://nvd.nist.gov/vuln/detail/CVE-2024-29887
- https://github.com/serverpod/serverpod/commit/d55bf8d12967fc7955a875cb3e0f9693bd6d2c71
- https://github.com/advisories/GHSA-h6x7-r5rg-x5fw
Blast Radius: 9.3
Affected Packages
pub:serverpod_client
Dependent packages: 10Dependent repositories: 18
Downloads:
Affected Version Ranges: < 1.2.6
Fixed in: 1.2.6
All affected versions: 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.8, 0.8.9, 0.8.10, 0.8.11, 0.8.12, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 0.9.9, 0.9.10, 0.9.11, 0.9.12, 0.9.13, 0.9.14, 0.9.15, 0.9.16, 0.9.17, 0.9.18, 0.9.19, 0.9.20, 0.9.21, 0.9.22, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5
All unaffected versions: 1.2.6