[Java]: CWE 295 - Insecure TrustManager - MiTM

## CVE ID(s)

*List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the [GitHub Advisory Database](https://github.com/advisories).*

- CVE-2020-26234
(The CVE explicitly talks about hostname verification but at the same time it also had a insecure `TrustManager` implementation, see here:
 https://github.com/opencast/opencast/blob/640c5017db13b0c1875b2fe52360f873a074291c/modules/kernel/src/main/java/org/opencastproject/kernel/http/impl/HttpClientImpl.java#L119-L153)
- CVE-2020-13955
(The CVE explicitly talks about hostname verification but at the same time it also had a insecure `TrustManager` implementation, see here:
 https://github.com/apache/calcite/commit/43eeafcbac29d02c72bd520c003cdfc571de2d15 and https://github.com/apache/calcite/blob/3d13846a13398a1ba6c1fa84a7d0c0cc543f23d4/core/src/main/java/org/apache/calcite/runtime/TrustAllSslSocketFactory.java#L50)
- CVE-2021-21385 (https://github.com/openMF/mifos-mobile/security/advisories/GHSA-9657-33wf-rmvx)
  > [mifos-mobile is an] (...) Android Application built on top of the MifosX Self-Service platform for end-user customers to **view/transact** on the accounts and **loans** they hold.

  Note that the fixed code is written in *Kotlin*; the app has recently been converted to a Kotlin app and the issue has been found in the semantically equivalent Java version.

- CVE-2021-32700 (https://github.com/ballerina-platform/ballerina-lang/security/advisories/GHSA-f5qg-fqrw-v5ww)
  > Ballerina is an open source programming language and platform for cloud-era application programmers to easily write software that just works.

  This issue would have allowed a supply-chain-attack/RCE against users of Ballerina via a MitM.
  The fix commit is here: https://github.com/ballerina-platform/ballerina-lang/commit/2476dcf95f9c42518702864b226376ac46bd2f8f#diff-bb49a1821c5dd9c8b726befeabc0a090e449952fd6a876106216685c8946258e

## Report

*Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.*
A insecure `TrustManager` is an implementation of the `TrustManager` interface, where the `checkServerTrusted` method trusts any certificate because it never throws a `CertificateException`.
As the `TrustManager` trusts any certificate, an attacker can create a self-signed certificate that will be accepted as any certificate is trusted. This leads to a MiTM attack against the connection thereby stealing sensitive secrets such as login data or other tokens is possible.

## Query
https://github.com/github/codeql/pull/4879

- [x] Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). *We would love to have you spread the word about the good work you are doing*


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Java]: CWE 295 - Insecure TrustManager - MiTM #221

CVE ID(s)

Report

Query

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Java]: CWE 295 - Insecure TrustManager - MiTM #221

Description

CVE ID(s)

Report

Query

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions