Headline
GHSA-h6x7-r5rg-x5fw: Serverpod client accepts any certificate
This bug bypassed the validation of TSL certificates on all none web HTTP clients in the serverpod_client package. Making them susceptible to a man in the middle attack against encrypted traffic between the client device and the server.
An attacker would need to be able to intercept the traffic and highjack the connection to the server for this vulnerability to be used.
Impact
All versions of serverpod_client pre 1.2.6
Patches
Upgrading to version 1.2.6 resolves this issue.
Skip to content
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-29887
Serverpod client accepts any certificate
High severity GitHub Reviewed Published Mar 27, 2024 in serverpod/serverpod • Updated Mar 28, 2024
Package
pub serverpod_client (Pub)
Affected versions
< 1.2.6
Description
This bug bypassed the validation of TSL certificates on all none web HTTP clients in the serverpod_client package. Making them susceptible to a man in the middle attack against encrypted traffic between the client device and the server.
An attacker would need to be able to intercept the traffic and highjack the connection to the server for this vulnerability to be used.
Impact
All versions of serverpod_client pre 1.2.6
Patches
Upgrading to version 1.2.6 resolves this issue.
References
- GHSA-h6x7-r5rg-x5fw
- https://nvd.nist.gov/vuln/detail/CVE-2024-29887
- serverpod/serverpod@d55bf8d
Published to the GitHub Advisory Database
Mar 28, 2024
Last updated
Mar 28, 2024