#VU61607 Improper Certificate Validation in ZAP - CVE-2022-27820

Cybersecurity Help s.r.o.

Published: 2022-03-24

Vulnerability identifier: #VU61607

Vulnerability risk: Low

CVSSv4.0: 0.6 [CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-27820

CWE-ID: CWE-295

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
ZAP
Client/Desktop applications / Software for system administration

Vendor: OWASP

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to missing TLS certificate chain validation. A remote attacker can perform MitM attack and intercept communication between the ZAP proxy and the server.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

ZAP: w2015-07-14 - 2015-06-25

External links
https://www.openwall.com/lists/oss-security/2022/03/23/1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

MitM attack in OWASP ZAP Proxy