CVE-2021-34599

Improper Certificate Validation in CODESYS Git

CVSS 7.4 HIGHEPSS 0.5%CWE-295

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 7.4EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

01 Dec 2021Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Affected versions of CODESYS Git in Versions prior to V1.1.0.0 lack certificate validation in HTTPS handshakes. CODESYS Git does not implement certificate validation by default, so it does not verify that the server provides a valid and trusted HTTPS certificate. Since the certificate of the server to which the connection is made is not properly verified, the server connection is vulnerable to a man-in-the-middle attack.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected products

CODESYS · CODESYS Git

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=16959&token=3ce11e44a3277c4520d732ea2e630f2e06bd46ff&download