#VU70053 Improper Certificate Validation in python-scciclient - CVE-2022-2996


Vulnerability identifier: #VU70053

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-2996

CWE-ID: CWE-295

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
python-scciclient
Universal components / Libraries / Libraries used by multiple products

Vendor: python-scciclient

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to application does not verify the server's certificate. A remote attacker can perform a man-in-the-middle attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

python-scciclient: 0.0.1 - 0.11.4

External links
https://opendev.org/x/python-scciclient/commit/274dca0344b65b4ac113d3271d21c17e970a636c
https://lists.debian.org/debian-lts-announce/2022/11/msg00006.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Red Hat Ansible Automation Platform 2.4 for RHEL 9
MitM attack in Red Hat OpenStack Platform
Red Hat OpenStack Platform 16.1 update for python-scciclient
Red Hat OpenStack Platform 16.2 update for python-scciclient
MitM attack in python-scciclient