CVE-2024-29887 – serverpod_client

Package

Manager: pub
Name: serverpod_client
Vulnerable Version: >=0 <1.2.6

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00029 pctl0.0673

Details

Serverpod client accepts any certificate This bug bypassed the validation of TSL certificates on all none web HTTP clients in the `serverpod_client` package. Making them susceptible to a man in the middle attack against encrypted traffic between the client device and the server. An attacker would need to be able to intercept the traffic and highjack the connection to the server for this vulnerability to be used. ### Impact All versions of `serverpod_client` pre `1.2.6` ### Patches Upgrading to version `1.2.6` resolves this issue.

Metadata

Created: 2024-03-28T17:53:26Z
Modified: 2024-03-28T17:53:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-h6x7-r5rg-x5fw/GHSA-h6x7-r5rg-x5fw.json
CWE IDs: ["CWE-295"]
Alternative ID: GHSA-h6x7-r5rg-x5fw
Finding: F163
Auto approve: 1