Insecure TLS Certificate Validation in OWASP Zed Attack Proxy
CVE-2022-27820

4MEDIUM

Key Information:

Vendor

Owasp

Status
Zed Attack Proxy
Vendor
CVE Published:
24 March 2022

What is CVE-2022-27820?

OWASP Zed Attack Proxy (ZAP) prior to version w2022-03-21 fails to properly verify the TLS certificate chain of an HTTPS server. This vulnerability allows an attacker to potentially intercept and manipulate traffic, leading to unauthorized data access. Users are recommended to upgrade to the latest version to mitigate the security risks associated with this flaw.

References

https://www.openwall.com/lists/oss-security/2022/03/23/1
x_refsource_MISC
https://github.com/zaproxy/zaproxy/releases
x_refsource_MISC
http://www.openwall.com/lists/oss-security/2022/03/24/3
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
4
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.